Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
03-10-2024 04:31
Behavioral task
behavioral1
Sample
2024-10-03_781148dc3c8b0fae02141535e6873321_cryptolocker.exe
Resource
win7-20240903-en
General
-
Target
2024-10-03_781148dc3c8b0fae02141535e6873321_cryptolocker.exe
-
Size
39KB
-
MD5
781148dc3c8b0fae02141535e6873321
-
SHA1
2e6178d8cb185e870d1cf81ae289c9829d7e012c
-
SHA256
2122bb760ae2a0e46627f0380fe2a971dbd6c2742eaf6736697b5f6a2b4eb6e0
-
SHA512
9079a94847569dca2e63a86230eca26f0c57696ffe38470c8bcbbc936fc3f5a65d7110d96fe8c83e50bb108de1105f13f1d16e76fec3c81f1d22b8c173a63e9a
-
SSDEEP
768:q7PdFecFS5agQtOOtEvwDpjeMLZdzuqpXsiE8Wq/DpkIT0:qDdFJy3QMOtEvwDpjjWMl7T0
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation 2024-10-03_781148dc3c8b0fae02141535e6873321_cryptolocker.exe -
Executes dropped EXE 1 IoCs
pid Process 628 asih.exe -
resource yara_rule behavioral2/memory/3132-0-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral2/files/0x0008000000023455-13.dat upx behavioral2/memory/3132-18-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral2/memory/628-27-0x0000000000500000-0x0000000000510000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-03_781148dc3c8b0fae02141535e6873321_cryptolocker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language asih.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3132 wrote to memory of 628 3132 2024-10-03_781148dc3c8b0fae02141535e6873321_cryptolocker.exe 81 PID 3132 wrote to memory of 628 3132 2024-10-03_781148dc3c8b0fae02141535e6873321_cryptolocker.exe 81 PID 3132 wrote to memory of 628 3132 2024-10-03_781148dc3c8b0fae02141535e6873321_cryptolocker.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-03_781148dc3c8b0fae02141535e6873321_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-03_781148dc3c8b0fae02141535e6873321_cryptolocker.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3132 -
C:\Users\Admin\AppData\Local\Temp\asih.exe"C:\Users\Admin\AppData\Local\Temp\asih.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:628
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
39KB
MD5df0d5bb96232c3e79c9fcc24d5d20206
SHA1d118a150d320bcb7fb8b0d344827c700ee503dfb
SHA2568a7e785dbfba6ffcd6222164af0590726cfbec735e36e9c840794a4b02a5c3c6
SHA512a607025c574ebfef8166f1838d38ee695cb303142bf9eb718ade4fdca6845502de5f191ed28c65b34ee1aa23ba49a1c99eba1ed6a9051122fa4e05e6b1416e26