Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
31/05/2024, 15:25
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-31_038f624ec719ef7249d943f1eaddcf1e_cryptolocker.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
2024-05-31_038f624ec719ef7249d943f1eaddcf1e_cryptolocker.exe
Resource
win10v2004-20240508-en
General
-
Target
2024-05-31_038f624ec719ef7249d943f1eaddcf1e_cryptolocker.exe
-
Size
49KB
-
MD5
038f624ec719ef7249d943f1eaddcf1e
-
SHA1
ba1e358f1ae64cb8e49f6ebcae939dc924dd6770
-
SHA256
c6664951962325b445189b178c59a5af0ba0af4096d9cbcb81acf90619b515b8
-
SHA512
1a8c0dba4cb2e911f6e7cf27dc913d70556a3ac4bd7e5795f166bb196dffcc028484047ff92df8f3ff71455d5f8c44b383e020c82308cc161648f84266cb9ffc
-
SSDEEP
768:X6LsoEEeegiZPvEhHSG+gp/BtOOtEvwDpjBVaD3E09vdXfN:X6QFElP6n+gJBMOtEvwDpjBtEdXfN
Malware Config
Signatures
-
Detection of CryptoLocker Variants 1 IoCs
resource yara_rule behavioral2/files/0x00090000000233fa-12.dat CryptoLocker_rule2 -
Detection of Cryptolocker Samples 1 IoCs
resource yara_rule behavioral2/files/0x00090000000233fa-12.dat CryptoLocker_set1 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation 2024-05-31_038f624ec719ef7249d943f1eaddcf1e_cryptolocker.exe -
Executes dropped EXE 1 IoCs
pid Process 1860 asih.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1336 wrote to memory of 1860 1336 2024-05-31_038f624ec719ef7249d943f1eaddcf1e_cryptolocker.exe 83 PID 1336 wrote to memory of 1860 1336 2024-05-31_038f624ec719ef7249d943f1eaddcf1e_cryptolocker.exe 83 PID 1336 wrote to memory of 1860 1336 2024-05-31_038f624ec719ef7249d943f1eaddcf1e_cryptolocker.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-31_038f624ec719ef7249d943f1eaddcf1e_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-31_038f624ec719ef7249d943f1eaddcf1e_cryptolocker.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Users\Admin\AppData\Local\Temp\asih.exe"C:\Users\Admin\AppData\Local\Temp\asih.exe"2⤵
- Executes dropped EXE
PID:1860
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
49KB
MD541111690336ac1c727fa504170b83ca9
SHA1a2f3e074a1f16b7448df1bc2c5a98e6d1bf51d17
SHA256a870aa04cffb7a957aab99c8eab82bbe6f071d4b065ec9b736ee3ed5d5eb26c1
SHA512dbb2496e4f53eebd56e39832dd4aedf05d33fd755fa0c99c35b7492c2afc613b02b80a8268b70003f7105b778e194e3b8a36f8b8af7cda395a29a003dd23e1d8