f066eb36d005e4511cf18ddf4a0a7a4d952a58f7e7a196d499827c5fd10b1051

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 21:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-22_94c362d801691e3973aeb8e7ad025d15_cryptolocker.exe
Size

39KB
MD5

94c362d801691e3973aeb8e7ad025d15
SHA1

dbc15913b48cc2e059c914d7325a3f6de5a56825
SHA256

f066eb36d005e4511cf18ddf4a0a7a4d952a58f7e7a196d499827c5fd10b1051
SHA512

fed2a7376aa23a4a817ed9c5708a42b392766393bf905db93396e1919ab614f59ac394b4f5ed26a3245fa327924fe6e3c8aa070352833920605302d998b47dee
SSDEEP

768:q7PdFecFS5agQtOOtEvwDpjeMLZdzuqpXsiE8Wq/DpkITYaBsw:qDdFJy3QMOtEvwDpjjWMl7TdX

Score

9^/10

upx

Malware Config

Signatures

Detection of CryptoLocker Variants 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2736-0-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_rule2
C:\Users\Admin\AppData\Local\Temp\asih.exe	CryptoLocker_rule2
behavioral2/memory/2736-17-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_rule2
behavioral2/memory/1336-26-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_rule2

Detection of Cryptolocker Samples 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2736-0-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_set1
C:\Users\Admin\AppData\Local\Temp\asih.exe	CryptoLocker_set1
behavioral2/memory/2736-17-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_set1
behavioral2/memory/1336-26-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_set1

UPX dump on OEP (original entry point) 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2736-0-0x0000000000500000-0x0000000000510000-memory.dmp	UPX
C:\Users\Admin\AppData\Local\Temp\asih.exe	UPX
behavioral2/memory/2736-17-0x0000000000500000-0x0000000000510000-memory.dmp	UPX
behavioral2/memory/1336-26-0x0000000000500000-0x0000000000510000-memory.dmp	UPX

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2024-05-22_94c362d801691e3973aeb8e7ad025d15_cryptolocker.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	2024-05-22_94c362d801691e3973aeb8e7ad025d15_cryptolocker.exe

Executes dropped EXE 1 IoCs

Processes:

asih.exe

pid process

1336 asih.exe

pid	process
1336	asih.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2736-0-0x0000000000500000-0x0000000000510000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\asih.exe	upx
behavioral2/memory/2736-17-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/1336-26-0x0000000000500000-0x0000000000510000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

2024-05-22_94c362d801691e3973aeb8e7ad025d15_cryptolocker.exe

description	pid	process	target process
PID 2736 wrote to memory of 1336	2736	2024-05-22_94c362d801691e3973aeb8e7ad025d15_cryptolocker.exe	asih.exe
PID 2736 wrote to memory of 1336	2736	2024-05-22_94c362d801691e3973aeb8e7ad025d15_cryptolocker.exe	asih.exe
PID 2736 wrote to memory of 1336	2736	2024-05-22_94c362d801691e3973aeb8e7ad025d15_cryptolocker.exe	asih.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-22_94c362d801691e3973aeb8e7ad025d15_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-22_94c362d801691e3973aeb8e7ad025d15_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2736

C:\Users\Admin\AppData\Local\Temp\asih.exe
"C:\Users\Admin\AppData\Local\Temp\asih.exe"
2⤵
- Executes dropped EXE
PID:1336

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\asih.exe
Filesize
39KB

MD5
4e44e10c1f2abf852f5b10dbade3750d

SHA1
0b8144c393a719d20e8118d0fdac4d077f5a4425

SHA256
04234a4123c2cea5d305fb734fece979220718daa12ad95ee46fd57065674da3

SHA512
60deaa464bd1c557ca0522496e75c5f312b05945b8c5337871b8018597969b75658e4fee85c0cbe6f9ba4e03193999c761a249b613151d2f56d03c59cc18a668

Download Submit
memory/1336-25-0x00000000006B0000-0x00000000006B6000-memory.dmp

Filesize
24KB

Download
memory/1336-19-0x00000000006D0000-0x00000000006D6000-memory.dmp

Filesize
24KB

Download
memory/1336-26-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2736-0-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2736-1-0x00000000004D0000-0x00000000004D6000-memory.dmp

Filesize
24KB

Download
memory/2736-2-0x00000000004F0000-0x00000000004F6000-memory.dmp

Filesize
24KB

Download
memory/2736-8-0x00000000004D0000-0x00000000004D6000-memory.dmp

Filesize
24KB

Download
memory/2736-17-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download