Analysis
-
max time kernel
142s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
06/06/2024, 21:39
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-06_e9038d4226c1d7685477d0acb55d03fb_cryptolocker.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
2024-06-06_e9038d4226c1d7685477d0acb55d03fb_cryptolocker.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-06-06_e9038d4226c1d7685477d0acb55d03fb_cryptolocker.exe
-
Size
75KB
-
MD5
e9038d4226c1d7685477d0acb55d03fb
-
SHA1
8fc1f6c8f2107e7590ca53a81f8431000ed27beb
-
SHA256
d56e9510272d109b4e4c0025d7e7536a8ad71c3c4a6d2db358bcf68a4aaa2999
-
SHA512
d9b7664f0dcaef8841eae5399dd19c2e8871e7746e6a0622008445fdaad91ca2603a2b3a56a77a0df90fe5c125fe2e08dddb776dde2d41afa6c90798c437f76e
-
SSDEEP
768:u6LsoEEeegiZPvEhHSG+gZgtOOtEvwDpjeY10Y/YMs6gt4:u6QFElP6n+gWMOtEvwDpjJGYQbb4
Malware Config
Signatures
-
Detection of CryptoLocker Variants 1 IoCs
resource yara_rule behavioral2/files/0x0008000000023261-12.dat CryptoLocker_rule2 -
Detection of Cryptolocker Samples 1 IoCs
resource yara_rule behavioral2/files/0x0008000000023261-12.dat CryptoLocker_set1 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 2024-06-06_e9038d4226c1d7685477d0acb55d03fb_cryptolocker.exe -
Executes dropped EXE 1 IoCs
pid Process 2152 asih.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2136 wrote to memory of 2152 2136 2024-06-06_e9038d4226c1d7685477d0acb55d03fb_cryptolocker.exe 91 PID 2136 wrote to memory of 2152 2136 2024-06-06_e9038d4226c1d7685477d0acb55d03fb_cryptolocker.exe 91 PID 2136 wrote to memory of 2152 2136 2024-06-06_e9038d4226c1d7685477d0acb55d03fb_cryptolocker.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-06_e9038d4226c1d7685477d0acb55d03fb_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-06_e9038d4226c1d7685477d0acb55d03fb_cryptolocker.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Users\Admin\AppData\Local\Temp\asih.exe"C:\Users\Admin\AppData\Local\Temp\asih.exe"2⤵
- Executes dropped EXE
PID:2152
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4112 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:81⤵PID:2452
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
75KB
MD5388de437cdab1ebf21f3d391bc3ab599
SHA1c6fe1324bbb72d50f7c927b80478469cd9af8a78
SHA256329d290cf4b75a61bcb43148c88a816862c53c4aaa8d9df404632644518cd473
SHA51276776e0855dd58e0a87cdac5b462c7804938651916c901fab1c0c60d15489fb5087964abe488fba3a7228dfbc7c9a6146b44b16e0a1a5649e3718f91bc6c7126