Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
05-10-2024 05:30
Static task
static1
Behavioral task
behavioral1
Sample
2024-10-05_32b5957293f98168157e41878c75c728_cryptolocker.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024-10-05_32b5957293f98168157e41878c75c728_cryptolocker.exe
Resource
win10v2004-20240802-en
General
-
Target
2024-10-05_32b5957293f98168157e41878c75c728_cryptolocker.exe
-
Size
48KB
-
MD5
32b5957293f98168157e41878c75c728
-
SHA1
3709c779cf26aeebcaa14a7e767853d1d9ee2f00
-
SHA256
9f9ba87db16da2ad25f1d57d5584d5608cbb6a630fbebb4ab03fc9df2877a1d1
-
SHA512
fab9bd01769a608dce77358b0baa2b828d709cdb612337962d9e5b3ae9400ec65742bdc0eb2473d5f1150cd65e15e703c0d5a35843b9b27be694d157d7ad7e34
-
SSDEEP
768:79inqyNR/QtOOtEvwDpjBK/rJ+Nw8qn8pKyNk:79mqyNhQMOtEvwDpjBxe8TpLk
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation 2024-10-05_32b5957293f98168157e41878c75c728_cryptolocker.exe -
Executes dropped EXE 1 IoCs
pid Process 4832 asih.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-05_32b5957293f98168157e41878c75c728_cryptolocker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language asih.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4004 wrote to memory of 4832 4004 2024-10-05_32b5957293f98168157e41878c75c728_cryptolocker.exe 82 PID 4004 wrote to memory of 4832 4004 2024-10-05_32b5957293f98168157e41878c75c728_cryptolocker.exe 82 PID 4004 wrote to memory of 4832 4004 2024-10-05_32b5957293f98168157e41878c75c728_cryptolocker.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-05_32b5957293f98168157e41878c75c728_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-05_32b5957293f98168157e41878c75c728_cryptolocker.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4004 -
C:\Users\Admin\AppData\Local\Temp\asih.exe"C:\Users\Admin\AppData\Local\Temp\asih.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4832
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
48KB
MD5fc5fe66c83d2ebdb83c2368baec104f0
SHA15dbd2bd247c40b7ae5326c7f7b9eede4cca73d9f
SHA256a732aeb52b24dd6395051ea938dba22f7d40d2ed8d924f9c3b21588f58cb55ac
SHA51295cbb26690698c941c04ab28a1d1a82165efa7d41d64196541149b5201078f6c17820d2ea086fdb824a8187025292b955a04a471a444b42058809f620372b5a3