94fb0ac1001ee0b8676506069515f467e3f526c41019cbdaaac1078d945b0fe5

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 02:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-22_b770071f52a66960b14dec795cb7f11c_cryptolocker.exe
Size

49KB
MD5

b770071f52a66960b14dec795cb7f11c
SHA1

5dd6ecdf2b552ab02ba0f16b2bf961fda8aaa229
SHA256

94fb0ac1001ee0b8676506069515f467e3f526c41019cbdaaac1078d945b0fe5
SHA512

4cb87800b22e28a687ea9f1950d12d73a6f0cfc9679c549579359c63df17973c1380b8cc447945244bf9e8d816a591c7a323ef28ebfc5f80a4932ff383c9eb6d
SSDEEP

768:X6LsoEEeegiZPvEhHSG+gp/BtOOtEvwDpjBVaD3E09vdXfB:X6QFElP6n+gJBMOtEvwDpjBtEdXfB

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\asih.exe	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\asih.exe	CryptoLocker_set1

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2024-05-22_b770071f52a66960b14dec795cb7f11c_cryptolocker.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	2024-05-22_b770071f52a66960b14dec795cb7f11c_cryptolocker.exe

Executes dropped EXE 1 IoCs

Processes:

asih.exe

pid process

1184 asih.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1184	asih.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

2024-05-22_b770071f52a66960b14dec795cb7f11c_cryptolocker.exe

description	pid	process	target process
PID 1172 wrote to memory of 1184	1172	2024-05-22_b770071f52a66960b14dec795cb7f11c_cryptolocker.exe	asih.exe
PID 1172 wrote to memory of 1184	1172	2024-05-22_b770071f52a66960b14dec795cb7f11c_cryptolocker.exe	asih.exe
PID 1172 wrote to memory of 1184	1172	2024-05-22_b770071f52a66960b14dec795cb7f11c_cryptolocker.exe	asih.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-22_b770071f52a66960b14dec795cb7f11c_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-22_b770071f52a66960b14dec795cb7f11c_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1172

C:\Users\Admin\AppData\Local\Temp\asih.exe
"C:\Users\Admin\AppData\Local\Temp\asih.exe"
2⤵
- Executes dropped EXE
PID:1184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
49KB

MD5
1c71709e6cb7d1ac2ea2ccce36c94066

SHA1
dda4d87d45206c682e663dbd21ff3483eb4a9e3c

SHA256
2481dd7d93e03af1b5d5b97595bab2dde8492a5df45f37377985a0328183b664

SHA512
efbf8a7ccd055f110294d32fd3d0f6823e5c0427608b11b579492b5f0f9748ea1220fe4331b196c5a589d1d5c6d4e03d093470321d7fcc8db7b13fa4248792b8

Download Submit
memory/1172-0-0x00000000004D0000-0x00000000004D6000-memory.dmp

Filesize
24KB

Download
memory/1172-1-0x00000000004F0000-0x00000000004F6000-memory.dmp

Filesize
24KB

Download
memory/1172-8-0x00000000004D0000-0x00000000004D6000-memory.dmp

Filesize
24KB

Download