Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
28-09-2024 20:25
Behavioral task
behavioral1
Sample
2024-09-28_6de5800826e55c4a807716e4d2c80ec3_cryptolocker.exe
Resource
win7-20240903-en
General
-
Target
2024-09-28_6de5800826e55c4a807716e4d2c80ec3_cryptolocker.exe
-
Size
32KB
-
MD5
6de5800826e55c4a807716e4d2c80ec3
-
SHA1
1a5cdf4aeb22bf28a63c10166ecfa3b757deee03
-
SHA256
bc137cd60bbe2f5da2816a93ad1b5b654117abe14dc8ab1b0207893a7b286f59
-
SHA512
cf566703d6e54fb555f55a7bff81ad0c77ed79fb1b8af1245055d0f97865f2b3cf92c89b982e03b1b28fe1e1a18cc3a82a214948e4d173e2afabfb977778c403
-
SSDEEP
768:qUmnjFom/kLyMro2GtOOtEvwDpjeMLam5axjm:qUmnpomddpMOtEvwDpjjaYaA
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation 2024-09-28_6de5800826e55c4a807716e4d2c80ec3_cryptolocker.exe -
Executes dropped EXE 1 IoCs
pid Process 4600 asih.exe -
resource yara_rule behavioral2/memory/1320-0-0x0000000000500000-0x000000000050F000-memory.dmp upx behavioral2/files/0x000800000002346c-13.dat upx behavioral2/memory/1320-18-0x0000000000500000-0x000000000050F000-memory.dmp upx behavioral2/memory/4600-26-0x0000000000500000-0x000000000050F000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-09-28_6de5800826e55c4a807716e4d2c80ec3_cryptolocker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language asih.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1320 wrote to memory of 4600 1320 2024-09-28_6de5800826e55c4a807716e4d2c80ec3_cryptolocker.exe 84 PID 1320 wrote to memory of 4600 1320 2024-09-28_6de5800826e55c4a807716e4d2c80ec3_cryptolocker.exe 84 PID 1320 wrote to memory of 4600 1320 2024-09-28_6de5800826e55c4a807716e4d2c80ec3_cryptolocker.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-09-28_6de5800826e55c4a807716e4d2c80ec3_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-09-28_6de5800826e55c4a807716e4d2c80ec3_cryptolocker.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Users\Admin\AppData\Local\Temp\asih.exe"C:\Users\Admin\AppData\Local\Temp\asih.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4600
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
32KB
MD5ddee684fe1320c838fa6f4ad6e9880c9
SHA1978e187efdb21cc0301c59fdd19538cc13d208d5
SHA256ae1340913bc985214d060ff9df6640e5eb5f91d0201f433c50285bd704c54ecb
SHA5122fac9758fef9540315c68379ac28925f7c5a9289d0a4906fa723cbccb91e6fcb7c841ad150668a097968ffdd4482af03b56187db31cd3eb66d036380c29623d0