Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
21/05/2024, 18:47
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-21_c9daa7b60a793b9aefaf1b25eaf6e8c6_cryptolocker.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
2024-05-21_c9daa7b60a793b9aefaf1b25eaf6e8c6_cryptolocker.exe
Resource
win10v2004-20240426-en
General
-
Target
2024-05-21_c9daa7b60a793b9aefaf1b25eaf6e8c6_cryptolocker.exe
-
Size
49KB
-
MD5
c9daa7b60a793b9aefaf1b25eaf6e8c6
-
SHA1
924bc7d5ccd16f584d113188f0d0e91cd03aff6c
-
SHA256
c2455b14315bbf5fd0f42ca99d4fd739c25268ef30471c12b9ea67a4385f7146
-
SHA512
45ce6ccd91639e6b14a15f149e1ba73400f19e3cb222651b6d64fce08fccf94e8bc9b744fae70c2ebdf93b21b08ac7bdd874cd77a5cff07aa899af906ec4e832
-
SSDEEP
768:X6LsoEEeegiZPvEhHSG+gp/BtOOtEvwDpjBVaD3E09vdXfV:X6QFElP6n+gJBMOtEvwDpjBtEdXfV
Malware Config
Signatures
-
Detection of CryptoLocker Variants 1 IoCs
resource yara_rule behavioral2/files/0x0007000000023288-15.dat CryptoLocker_rule2 -
Detection of Cryptolocker Samples 1 IoCs
resource yara_rule behavioral2/files/0x0007000000023288-15.dat CryptoLocker_set1 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation 2024-05-21_c9daa7b60a793b9aefaf1b25eaf6e8c6_cryptolocker.exe -
Executes dropped EXE 1 IoCs
pid Process 1568 asih.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1300 wrote to memory of 1568 1300 2024-05-21_c9daa7b60a793b9aefaf1b25eaf6e8c6_cryptolocker.exe 82 PID 1300 wrote to memory of 1568 1300 2024-05-21_c9daa7b60a793b9aefaf1b25eaf6e8c6_cryptolocker.exe 82 PID 1300 wrote to memory of 1568 1300 2024-05-21_c9daa7b60a793b9aefaf1b25eaf6e8c6_cryptolocker.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-21_c9daa7b60a793b9aefaf1b25eaf6e8c6_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-21_c9daa7b60a793b9aefaf1b25eaf6e8c6_cryptolocker.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Users\Admin\AppData\Local\Temp\asih.exe"C:\Users\Admin\AppData\Local\Temp\asih.exe"2⤵
- Executes dropped EXE
PID:1568
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
49KB
MD5c96ad1b8ca8baedafd3347f1641ecd11
SHA11efa9ecdd8ed1aa531258fa1e96a6866d2d4a35e
SHA25640742e0849718143af9fe59b3629152180456e4ed63fa4537bfb382966f38c48
SHA512da2720e72cbfd4d18ac5a881ca278e23e187d07eb424b50460fc8a897fa864c99de2e3e26186584e8ed87470deb1af7aa23017345a8b533419f7b3082b7b0879