Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
11-09-2024 18:39
Behavioral task
behavioral1
Sample
2024-09-11_faf10cfe6c0134beaa077277cfd77ced_cryptolocker.exe
Resource
win7-20240708-en
General
-
Target
2024-09-11_faf10cfe6c0134beaa077277cfd77ced_cryptolocker.exe
-
Size
38KB
-
MD5
faf10cfe6c0134beaa077277cfd77ced
-
SHA1
73ff0add24f40bde2ff9325e5749e577a5f95852
-
SHA256
da39ab92f70ac880fc8524720821900e7ca5ef473aed0bb71bf635e919ae9d72
-
SHA512
731c772cd71e74aae2b7f90e498559ed36bed18c247dc2fba664fd59d8b0ecbab026495c5b933c14e78523115eba3260922a35c69a764bdf0fb0a8713dfe9940
-
SSDEEP
768:q7PdFecFS5agQtOOtEvwDpjeMLZdzuqpXsiE8Wq/DpkIT6k:qDdFJy3QMOtEvwDpjjWMl7T6k
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation 2024-09-11_faf10cfe6c0134beaa077277cfd77ced_cryptolocker.exe -
Executes dropped EXE 1 IoCs
pid Process 4684 asih.exe -
resource yara_rule behavioral2/memory/208-0-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral2/files/0x00090000000233b3-13.dat upx behavioral2/memory/208-19-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral2/memory/4684-27-0x0000000000500000-0x0000000000510000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-09-11_faf10cfe6c0134beaa077277cfd77ced_cryptolocker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language asih.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 208 wrote to memory of 4684 208 2024-09-11_faf10cfe6c0134beaa077277cfd77ced_cryptolocker.exe 85 PID 208 wrote to memory of 4684 208 2024-09-11_faf10cfe6c0134beaa077277cfd77ced_cryptolocker.exe 85 PID 208 wrote to memory of 4684 208 2024-09-11_faf10cfe6c0134beaa077277cfd77ced_cryptolocker.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-09-11_faf10cfe6c0134beaa077277cfd77ced_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-09-11_faf10cfe6c0134beaa077277cfd77ced_cryptolocker.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:208 -
C:\Users\Admin\AppData\Local\Temp\asih.exe"C:\Users\Admin\AppData\Local\Temp\asih.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4684
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
38KB
MD5a04da0620892e40da450f6fd74e43557
SHA190c1d11dd20a694320166072af689774d586b778
SHA256011b92929b72c34eb59d4bdd4977978147de64fc8e02f4b0bd15e28ea9104451
SHA51225d87f18db76f92e29fec1dfc9233f457bd257565dbd10f43c380dfcdc87298dfae0a5d940c6299435c381b1741ed349d69a4d38db4f55ec713eeca9831afd95