c8eca554bd1419859656073d3a3625eb2bb4f25f6d8589ca622cefb1c39401af

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
19/06/2024, 15:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-06-19_53d8317c07854318ab64df6217dcccd0_cryptolocker.exe
Size

39KB
MD5

53d8317c07854318ab64df6217dcccd0
SHA1

78cd70d91038ebd1fcf0edc3263ed95aefaef867
SHA256

c8eca554bd1419859656073d3a3625eb2bb4f25f6d8589ca622cefb1c39401af
SHA512

a45c276e6469bd5e94632d08d9e5daac7d75fe59a65cae26e165dedab1b05467d26dd9c9e26623a0e5d33682161bbb6beba72087d01f0f5c48ab2a6bc8c9d77a
SSDEEP

768:X6LsoEEeegiZPvEhHSG+gp/QtOOtEvwDpjBVaD3TP7DFCw0z:X6QFElP6n+gJQMOtEvwDpjBmzDU5z

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	2024-06-19_53d8317c07854318ab64df6217dcccd0_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
2484	asih.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4420 wrote to memory of 2484	4420	2024-06-19_53d8317c07854318ab64df6217dcccd0_cryptolocker.exe	82
PID 4420 wrote to memory of 2484	4420	2024-06-19_53d8317c07854318ab64df6217dcccd0_cryptolocker.exe	82
PID 4420 wrote to memory of 2484	4420	2024-06-19_53d8317c07854318ab64df6217dcccd0_cryptolocker.exe	82

C:\Users\Admin\AppData\Local\Temp\2024-06-19_53d8317c07854318ab64df6217dcccd0_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-19_53d8317c07854318ab64df6217dcccd0_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4420
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:2484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
39KB

MD5
bcaf7042f71648cbd9f86567d12877b7

SHA1
0a74a132538fe67920631e90e895634d2a534a19

SHA256
7a4c831d79a50f52ff076b96eaa017a5edc48927f5c6c1d6fae1401b33fdd96b

SHA512
a1c5c2ea83e78016b1d87780c8cf4c44353b34f2730c9ef1d1cb1237309b48baaa3adea28bb398b035b6986a8d5f434c74aa16905e231f5b5450e01f7322666a

Download Submit
memory/2484-23-0x00000000006B0000-0x00000000006B6000-memory.dmp

Filesize
24KB

Download
memory/2484-17-0x00000000006D0000-0x00000000006D6000-memory.dmp

Filesize
24KB

Download
memory/4420-0-0x0000000000840000-0x0000000000846000-memory.dmp

Filesize
24KB

Download
memory/4420-1-0x0000000000860000-0x0000000000866000-memory.dmp

Filesize
24KB

Download
memory/4420-8-0x0000000000840000-0x0000000000846000-memory.dmp

Filesize
24KB

Download