Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
01/06/2024, 18:25
Behavioral task
behavioral1
Sample
2024-06-01_48b95a60ac891a5b3fd7d67ad32b0f26_cryptolocker.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
2024-06-01_48b95a60ac891a5b3fd7d67ad32b0f26_cryptolocker.exe
Resource
win10v2004-20240426-en
General
-
Target
2024-06-01_48b95a60ac891a5b3fd7d67ad32b0f26_cryptolocker.exe
-
Size
75KB
-
MD5
48b95a60ac891a5b3fd7d67ad32b0f26
-
SHA1
26907ad16a64b3c034466139b8da98a289813b0c
-
SHA256
d5cc71a54774fbcbc8eae09802498c5b3d9489f32b9eec49fa88be00f5e7fef1
-
SHA512
df06da5b4848d14e6bb04d24796fa8bf21dea8f6369f672d9f195e61d908796b90cade49dce2739d22aa83750a083380db49474899b2da95b9a118a57346f528
-
SSDEEP
1536:P8mnK6QFElP6n+gymddpMOtEvwDpjIHsal81Gcc:1nK6a+qdOOtEvwDpj2
Malware Config
Signatures
-
Detection of CryptoLocker Variants 4 IoCs
resource yara_rule behavioral2/memory/3504-0-0x0000000000500000-0x000000000050F311-memory.dmp CryptoLocker_rule2 behavioral2/files/0x00090000000233dd-13.dat CryptoLocker_rule2 behavioral2/memory/3504-17-0x0000000000500000-0x000000000050F311-memory.dmp CryptoLocker_rule2 behavioral2/memory/4388-26-0x0000000000500000-0x000000000050F311-memory.dmp CryptoLocker_rule2 -
Detection of Cryptolocker Samples 4 IoCs
resource yara_rule behavioral2/memory/3504-0-0x0000000000500000-0x000000000050F311-memory.dmp CryptoLocker_set1 behavioral2/files/0x00090000000233dd-13.dat CryptoLocker_set1 behavioral2/memory/3504-17-0x0000000000500000-0x000000000050F311-memory.dmp CryptoLocker_set1 behavioral2/memory/4388-26-0x0000000000500000-0x000000000050F311-memory.dmp CryptoLocker_set1 -
UPX dump on OEP (original entry point) 4 IoCs
resource yara_rule behavioral2/memory/3504-0-0x0000000000500000-0x000000000050F311-memory.dmp UPX behavioral2/files/0x00090000000233dd-13.dat UPX behavioral2/memory/3504-17-0x0000000000500000-0x000000000050F311-memory.dmp UPX behavioral2/memory/4388-26-0x0000000000500000-0x000000000050F311-memory.dmp UPX -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation 2024-06-01_48b95a60ac891a5b3fd7d67ad32b0f26_cryptolocker.exe -
Executes dropped EXE 1 IoCs
pid Process 4388 asih.exe -
resource yara_rule behavioral2/memory/3504-0-0x0000000000500000-0x000000000050F311-memory.dmp upx behavioral2/files/0x00090000000233dd-13.dat upx behavioral2/memory/3504-17-0x0000000000500000-0x000000000050F311-memory.dmp upx behavioral2/memory/4388-26-0x0000000000500000-0x000000000050F311-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3504 wrote to memory of 4388 3504 2024-06-01_48b95a60ac891a5b3fd7d67ad32b0f26_cryptolocker.exe 81 PID 3504 wrote to memory of 4388 3504 2024-06-01_48b95a60ac891a5b3fd7d67ad32b0f26_cryptolocker.exe 81 PID 3504 wrote to memory of 4388 3504 2024-06-01_48b95a60ac891a5b3fd7d67ad32b0f26_cryptolocker.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-01_48b95a60ac891a5b3fd7d67ad32b0f26_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-01_48b95a60ac891a5b3fd7d67ad32b0f26_cryptolocker.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3504 -
C:\Users\Admin\AppData\Local\Temp\asih.exe"C:\Users\Admin\AppData\Local\Temp\asih.exe"2⤵
- Executes dropped EXE
PID:4388
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
75KB
MD5ee5e090bb6194d75c3e602af5f8bc49a
SHA1fbe5b2ab65c1b2b6ea06687857ceab1e9521915c
SHA25639d63e44883f8e15cf5b3b90d35ca99f0250857c616bc80804e4ac763fef563a
SHA512e44101ed813db8117c36edfeeb48947e41e62e43860ffe0f6a0a7b68bd04ae48438f112988e77486f39802768ebb54beb0c3127bf940bc68760984b2db980864