bac357bb40eb0b1f6f38f3dcd2d2f94542ce3db5ad3bcd83598eeb7451488882

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
03-05-2024 16:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-03_bcc24e7c6cf07e73ec7df5cbbd71ddb0_cryptolocker.exe
Size

96KB
MD5

bcc24e7c6cf07e73ec7df5cbbd71ddb0
SHA1

54d8a7b057f7f43cd3578fd0bf322f59d0b3cf95
SHA256

bac357bb40eb0b1f6f38f3dcd2d2f94542ce3db5ad3bcd83598eeb7451488882
SHA512

8e9b1f143763095e2f9fe0cc2ebb75c8ee299e9178743aabcdc91606c998ac720846afdf7d6b385cd93ecef21331fd6ebd6cdf0f70047da3812b8bdcf4b02335
SSDEEP

1536:V6QFElP6n+gMQMOtEvwDpjQGYQbN/PKwNgp0D:V6a+pOtEvwDpjtz7

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral2/files/0x000c000000023b4b-12.dat	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

resource	yara_rule
behavioral2/files/0x000c000000023b4b-12.dat	CryptoLocker_set1

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation	2024-05-03_bcc24e7c6cf07e73ec7df5cbbd71ddb0_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
1028	asih.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2676 wrote to memory of 1028	2676	2024-05-03_bcc24e7c6cf07e73ec7df5cbbd71ddb0_cryptolocker.exe	86
PID 2676 wrote to memory of 1028	2676	2024-05-03_bcc24e7c6cf07e73ec7df5cbbd71ddb0_cryptolocker.exe	86
PID 2676 wrote to memory of 1028	2676	2024-05-03_bcc24e7c6cf07e73ec7df5cbbd71ddb0_cryptolocker.exe	86

C:\Users\Admin\AppData\Local\Temp\2024-05-03_bcc24e7c6cf07e73ec7df5cbbd71ddb0_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-03_bcc24e7c6cf07e73ec7df5cbbd71ddb0_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:1028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
96KB

MD5
08756aa8f88cbf38acef653d1d5bf1a8

SHA1
512f9fdd1e0165547a1435fbf8117436364e0af4

SHA256
de0242a490aca356f5cc847ee0424839343bc45e921fef209c55e9353ca87587

SHA512
a10f45f09c20f43de1da4fff72b8f8ccb0b357b57199db65c795dea04534674b67729098104b28fcba30f2db3f24ca6f344656e28db6b164a6b6628ec7f837e3

Download Submit
memory/1028-18-0x00000000004F0000-0x00000000004F6000-memory.dmp

Filesize
24KB

Download
memory/1028-23-0x00000000004D0000-0x00000000004D6000-memory.dmp

Filesize
24KB

Download
memory/2676-0-0x00000000006B0000-0x00000000006B6000-memory.dmp

Filesize
24KB

Download
memory/2676-1-0x00000000006D0000-0x00000000006D6000-memory.dmp

Filesize
24KB

Download
memory/2676-8-0x00000000006B0000-0x00000000006B6000-memory.dmp

Filesize
24KB

Download