Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
27/09/2024, 18:56
Behavioral task
behavioral1
Sample
2024-09-27_6cd9e5086e82f6b76f9fa7c7de04a8bb_cryptolocker.exe
Resource
win7-20240903-en
General
-
Target
2024-09-27_6cd9e5086e82f6b76f9fa7c7de04a8bb_cryptolocker.exe
-
Size
40KB
-
MD5
6cd9e5086e82f6b76f9fa7c7de04a8bb
-
SHA1
099e9f25528ffdd8245d1ee0b1ca58c87afcb870
-
SHA256
de4e1e6bae2691c9ade20752ec4b3d4013bad8271f15ce0465d3d4b4965c9a1e
-
SHA512
325ffa6b4135ecd9762c1d5976eeaab509262e251f570c5a4838d27584f59830d02fbafb7217a74196e097b3082ca21d27ab0b5f6c682b0242ff982c5f514feb
-
SSDEEP
768:q7PdFecFS5agQtOOtEvwDpjeMLZdzuqpXsiE8Wq/DpkITYaIdX:qDdFJy3QMOtEvwDpjjWMl7TdAX
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation 2024-09-27_6cd9e5086e82f6b76f9fa7c7de04a8bb_cryptolocker.exe -
Executes dropped EXE 1 IoCs
pid Process 5108 asih.exe -
resource yara_rule behavioral2/memory/1724-0-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral2/files/0x00080000000234c6-12.dat upx behavioral2/memory/5108-17-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral2/memory/1724-20-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral2/memory/5108-28-0x0000000000500000-0x0000000000510000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-09-27_6cd9e5086e82f6b76f9fa7c7de04a8bb_cryptolocker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language asih.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1724 wrote to memory of 5108 1724 2024-09-27_6cd9e5086e82f6b76f9fa7c7de04a8bb_cryptolocker.exe 82 PID 1724 wrote to memory of 5108 1724 2024-09-27_6cd9e5086e82f6b76f9fa7c7de04a8bb_cryptolocker.exe 82 PID 1724 wrote to memory of 5108 1724 2024-09-27_6cd9e5086e82f6b76f9fa7c7de04a8bb_cryptolocker.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-09-27_6cd9e5086e82f6b76f9fa7c7de04a8bb_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-09-27_6cd9e5086e82f6b76f9fa7c7de04a8bb_cryptolocker.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Users\Admin\AppData\Local\Temp\asih.exe"C:\Users\Admin\AppData\Local\Temp\asih.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5108
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
40KB
MD5b5c38d30acb9cd617581db2e37569d41
SHA15131a71d9472f98714adbde41340a0e2dd573d87
SHA25698563dde18fdb3beaf61ccd73a756d36d7c530e2ca76edc989c8514b75c42164
SHA512bfbdeb21c0b9b881978ae8db50ff5704066bf21b622a8bd01a3ff863c735a821359abbf4cb0242151bd16ad850fd614956163b665aacd5c9bc7e7fd383346950