Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
03-06-2024 12:00
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-03_dbb555a7453dc4070d3b80b3f17f843a_cryptolocker.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
2024-06-03_dbb555a7453dc4070d3b80b3f17f843a_cryptolocker.exe
Resource
win10v2004-20240508-en
General
-
Target
2024-06-03_dbb555a7453dc4070d3b80b3f17f843a_cryptolocker.exe
-
Size
73KB
-
MD5
dbb555a7453dc4070d3b80b3f17f843a
-
SHA1
2b2d4872dc252a84c9bcc04290c376038c6aeb63
-
SHA256
7bf7aba02b153fb482dfcae85db0e2d8e114b702626eaed177c0a10849b6d834
-
SHA512
de0e17ccaa70dbc7dc6b9ebdfcca1a0d064d332732de37ed554ae59b5984fb1c39e9025ce70c88b5eeb644bd806b867765a698af821564c5298efe02fc9bba3e
-
SSDEEP
768:u6LsoEEeegiZPvEhHSG+gZgtOOtEvwDpjeY10Y/YMsPj:u6QFElP6n+gWMOtEvwDpjJGYQbb
Malware Config
Signatures
-
Detection of CryptoLocker Variants 1 IoCs
resource yara_rule behavioral2/files/0x00070000000232a4-12.dat CryptoLocker_rule2 -
Detection of Cryptolocker Samples 1 IoCs
resource yara_rule behavioral2/files/0x00070000000232a4-12.dat CryptoLocker_set1 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation 2024-06-03_dbb555a7453dc4070d3b80b3f17f843a_cryptolocker.exe -
Executes dropped EXE 1 IoCs
pid Process 1392 asih.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2364 wrote to memory of 1392 2364 2024-06-03_dbb555a7453dc4070d3b80b3f17f843a_cryptolocker.exe 82 PID 2364 wrote to memory of 1392 2364 2024-06-03_dbb555a7453dc4070d3b80b3f17f843a_cryptolocker.exe 82 PID 2364 wrote to memory of 1392 2364 2024-06-03_dbb555a7453dc4070d3b80b3f17f843a_cryptolocker.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-03_dbb555a7453dc4070d3b80b3f17f843a_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-03_dbb555a7453dc4070d3b80b3f17f843a_cryptolocker.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Users\Admin\AppData\Local\Temp\asih.exe"C:\Users\Admin\AppData\Local\Temp\asih.exe"2⤵
- Executes dropped EXE
PID:1392
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
74KB
MD5826aebc146fd5e1305f80259b82ff49e
SHA1f1dc566bacb2d3a14b6d056c9409d81d1b96fef0
SHA2565f79eb94fd598b49c5d33935d3f73c7ffbe11cf131cd23453eeabc02ca77337e
SHA51245691b2136258943c635c053022cd14db9a2636eb2c9040c902b50e8fcf72d21361fc637d6ef1f152051690b49e40e1f8f3ad111f7f3e14d6ea55dfea47e935e