Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-10-2024 05:30

General

  • Target

    2024-10-05_32b5957293f98168157e41878c75c728_cryptolocker.exe

  • Size

    48KB

  • MD5

    32b5957293f98168157e41878c75c728

  • SHA1

    3709c779cf26aeebcaa14a7e767853d1d9ee2f00

  • SHA256

    9f9ba87db16da2ad25f1d57d5584d5608cbb6a630fbebb4ab03fc9df2877a1d1

  • SHA512

    fab9bd01769a608dce77358b0baa2b828d709cdb612337962d9e5b3ae9400ec65742bdc0eb2473d5f1150cd65e15e703c0d5a35843b9b27be694d157d7ad7e34

  • SSDEEP

    768:79inqyNR/QtOOtEvwDpjBK/rJ+Nw8qn8pKyNk:79mqyNhQMOtEvwDpjBxe8TpLk

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-05_32b5957293f98168157e41878c75c728_cryptolocker.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-05_32b5957293f98168157e41878c75c728_cryptolocker.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4004
    • C:\Users\Admin\AppData\Local\Temp\asih.exe
      "C:\Users\Admin\AppData\Local\Temp\asih.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:4832

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\asih.exe

    Filesize

    48KB

    MD5

    fc5fe66c83d2ebdb83c2368baec104f0

    SHA1

    5dbd2bd247c40b7ae5326c7f7b9eede4cca73d9f

    SHA256

    a732aeb52b24dd6395051ea938dba22f7d40d2ed8d924f9c3b21588f58cb55ac

    SHA512

    95cbb26690698c941c04ab28a1d1a82165efa7d41d64196541149b5201078f6c17820d2ea086fdb824a8187025292b955a04a471a444b42058809f620372b5a3

  • memory/4004-0-0x0000000000500000-0x000000000050F000-memory.dmp

    Filesize

    60KB

  • memory/4004-1-0x00000000006A0000-0x00000000006A6000-memory.dmp

    Filesize

    24KB

  • memory/4004-2-0x00000000006A0000-0x00000000006A6000-memory.dmp

    Filesize

    24KB

  • memory/4004-3-0x00000000007D0000-0x00000000007D6000-memory.dmp

    Filesize

    24KB

  • memory/4004-17-0x0000000000500000-0x000000000050F000-memory.dmp

    Filesize

    60KB

  • memory/4832-19-0x00000000004F0000-0x00000000004F6000-memory.dmp

    Filesize

    24KB

  • memory/4832-25-0x00000000004D0000-0x00000000004D6000-memory.dmp

    Filesize

    24KB

  • memory/4832-26-0x0000000000500000-0x000000000050F000-memory.dmp

    Filesize

    60KB