Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25/08/2024, 06:56
Behavioral task
behavioral1
Sample
2024-08-25_a8ad6cbe60ed001d334eae23d9bf7485_cryptolocker.exe
Resource
win7-20240708-en
General
-
Target
2024-08-25_a8ad6cbe60ed001d334eae23d9bf7485_cryptolocker.exe
-
Size
92KB
-
MD5
a8ad6cbe60ed001d334eae23d9bf7485
-
SHA1
3f30a326ea81773010527b2574a2346407035339
-
SHA256
1593884d23d28fd36e798c5d773c33d50f4af77dfa72d2d6ff7607e6624e1a16
-
SHA512
a1f03f49f8fb3a1e3a1448196680c07cbde59570e3e4b3d84fa07a08660b6a3d579645e80bdc126a65583a72fa231e9abac9b8b20e562bfc152c6354e4efa7a2
-
SSDEEP
1536:n6QFElP6n+g9u9cvMOtEvwDpjYYTjipvF2bx1PQAeT:n6a+1SEOtEvwDpjYYvQd2PS
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation 2024-08-25_a8ad6cbe60ed001d334eae23d9bf7485_cryptolocker.exe -
Executes dropped EXE 1 IoCs
pid Process 3348 asih.exe -
resource yara_rule behavioral2/memory/4388-0-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral2/files/0x000a0000000228c9-13.dat upx behavioral2/memory/4388-17-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral2/memory/3348-26-0x0000000000500000-0x0000000000510000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-08-25_a8ad6cbe60ed001d334eae23d9bf7485_cryptolocker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language asih.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4388 wrote to memory of 3348 4388 2024-08-25_a8ad6cbe60ed001d334eae23d9bf7485_cryptolocker.exe 87 PID 4388 wrote to memory of 3348 4388 2024-08-25_a8ad6cbe60ed001d334eae23d9bf7485_cryptolocker.exe 87 PID 4388 wrote to memory of 3348 4388 2024-08-25_a8ad6cbe60ed001d334eae23d9bf7485_cryptolocker.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-08-25_a8ad6cbe60ed001d334eae23d9bf7485_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-08-25_a8ad6cbe60ed001d334eae23d9bf7485_cryptolocker.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Users\Admin\AppData\Local\Temp\asih.exe"C:\Users\Admin\AppData\Local\Temp\asih.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3348
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD530af4d342497b305293068ff3ccfc213
SHA1d634ba6628eec4bc55e2bda5cb5c8dcbe190dc35
SHA256daadd5281c9055ef2ff171b858ff1a0216b08a09569db12e7eaad629e84c2fbc
SHA512f272b5193a2a496dd9eb15e269f1923a289b98e72ba459da22d4806020b30ca7366efd9feee973667ee599466a45cea7f4ebde3b7c63810a7ce885e7aa5d81c9