Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/06/2024, 10:37

General

  • Target

    2024-06-03_b059feefd4be7876afc2800ac753c66d_cryptolocker.exe

  • Size

    48KB

  • MD5

    b059feefd4be7876afc2800ac753c66d

  • SHA1

    0258c379107252dab5dce7336821dda9b4d3ff97

  • SHA256

    e66008e42ee31205f3f37a7f2e506882b81f1c5b8f5f0a5871c0391f466bd2eb

  • SHA512

    3820bb717ab66b6ea9cb025e1753a8fc79ec0a92c157c546aeda2952f37d2191285c212cb8ed0acd7d157d62c5730ae6065e5ed5176f5ab0211fa4cabe857f6f

  • SSDEEP

    768:P6LsoVEeegiZPvEhHSP+gp/QtOOtEvwDpjBBMLZdzuqpXsiE8Wq/Dpkcd:P6Q0ElP6G+gJQMOtEvwDpjB8WMlfd

Score
9/10

Malware Config

Signatures

  • Detection of CryptoLocker Variants 4 IoCs
  • Detection of Cryptolocker Samples 4 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-03_b059feefd4be7876afc2800ac753c66d_cryptolocker.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-03_b059feefd4be7876afc2800ac753c66d_cryptolocker.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1324
    • C:\Users\Admin\AppData\Local\Temp\asih.exe
      "C:\Users\Admin\AppData\Local\Temp\asih.exe"
      2⤵
      • Executes dropped EXE
      PID:2044

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\asih.exe

    Filesize

    48KB

    MD5

    da6af41a571a40bb4a62be7a3509e86d

    SHA1

    9a7805c38990bcbe2f90e27fa152ac78c6b3e94f

    SHA256

    709f8c0ae0e28ba86377a855da0dfe561803c1a035a49ab703600dd9cd997d27

    SHA512

    7dedbf349b8bbe7880027bda9e49f335e6cee3005ece8771d11e6601be4c5f6d813528ad34297d64f68e3b37d99447e5d0017a777399012f3b102a6e4c03bed7

  • memory/1324-0-0x0000000000500000-0x000000000050B000-memory.dmp

    Filesize

    44KB

  • memory/1324-1-0x00000000006B0000-0x00000000006B6000-memory.dmp

    Filesize

    24KB

  • memory/1324-2-0x0000000002090000-0x0000000002096000-memory.dmp

    Filesize

    24KB

  • memory/1324-9-0x00000000006B0000-0x00000000006B6000-memory.dmp

    Filesize

    24KB

  • memory/1324-17-0x0000000000500000-0x000000000050B000-memory.dmp

    Filesize

    44KB

  • memory/2044-19-0x0000000000650000-0x0000000000656000-memory.dmp

    Filesize

    24KB

  • memory/2044-25-0x0000000000630000-0x0000000000636000-memory.dmp

    Filesize

    24KB

  • memory/2044-26-0x0000000000500000-0x000000000050B000-memory.dmp

    Filesize

    44KB