98bc952ba2794def69f9b76f3bcb6cb2c4af16ba49369c1a0df57b2711da3032

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10/05/2024, 09:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-05-10_d3448f8a3e85278e3c83898f2ac5973b_cryptolocker.exe
Size

51KB
MD5

d3448f8a3e85278e3c83898f2ac5973b
SHA1

95bb1599c685308982025e9f53f75c0ab246b4d7
SHA256

98bc952ba2794def69f9b76f3bcb6cb2c4af16ba49369c1a0df57b2711da3032
SHA512

51eed95a7e265edcf8d04e8ddae71e788d926f22cd4b7620c850d6e7ff1725ac9351e28016d9cefc11efeba76cbc9095b5f718f32334fab1987bd450bf33cad5
SSDEEP

768:79inqyNR/QtOOtEvwDpjBK/rJ+Nw8qnTHGf0:79mqyNhQMOtEvwDpjBxe8GGf0

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 4 IoCs

resource	yara_rule
behavioral2/memory/1452-0-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_rule2
behavioral2/files/0x000700000002328e-13.dat	CryptoLocker_rule2
behavioral2/memory/4344-17-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_rule2
behavioral2/memory/1452-19-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_rule2

Detection of Cryptolocker Samples 4 IoCs

resource	yara_rule
behavioral2/memory/1452-0-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_set1
behavioral2/files/0x000700000002328e-13.dat	CryptoLocker_set1
behavioral2/memory/4344-17-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_set1
behavioral2/memory/1452-19-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_set1

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	2024-05-10_d3448f8a3e85278e3c83898f2ac5973b_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
4344	asih.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1452 wrote to memory of 4344	1452	2024-05-10_d3448f8a3e85278e3c83898f2ac5973b_cryptolocker.exe	82
PID 1452 wrote to memory of 4344	1452	2024-05-10_d3448f8a3e85278e3c83898f2ac5973b_cryptolocker.exe	82
PID 1452 wrote to memory of 4344	1452	2024-05-10_d3448f8a3e85278e3c83898f2ac5973b_cryptolocker.exe	82

C:\Users\Admin\AppData\Local\Temp\2024-05-10_d3448f8a3e85278e3c83898f2ac5973b_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-10_d3448f8a3e85278e3c83898f2ac5973b_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1452
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:4344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
51KB

MD5
7d4321d97e18f509db6ae03ec1711699

SHA1
cc79cf0b1188d0c09dc6836229c43aa61e909551

SHA256
f07ebbc956ed85a770ca716507e5e7e97d3770a6ce55a29139ed2a7494a5f887

SHA512
ddce488d23e1e9901411f9ed33d0f88dbeae93bb23aa4b8847c9182ca4c99f878b026dfa59e6408355843ab0371f80ae0e8f9a77b982bee62f63a9c34cc8fd29

Download Submit
memory/1452-0-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/1452-1-0x0000000002150000-0x0000000002156000-memory.dmp

Filesize
24KB

Download
memory/1452-2-0x0000000002050000-0x0000000002056000-memory.dmp

Filesize
24KB

Download
memory/1452-9-0x0000000002150000-0x0000000002156000-memory.dmp

Filesize
24KB

Download
memory/1452-19-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/4344-17-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/4344-20-0x00000000004F0000-0x00000000004F6000-memory.dmp

Filesize
24KB

Download
memory/4344-26-0x00000000004D0000-0x00000000004D6000-memory.dmp

Filesize
24KB

Download