Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 13:45
Behavioral task
behavioral1
Sample
2024-11-09_192ab7b214d0734a83cd6ee5f3e59902_cryptolocker.exe
Resource
win7-20241023-en
General
-
Target
2024-11-09_192ab7b214d0734a83cd6ee5f3e59902_cryptolocker.exe
-
Size
102KB
-
MD5
192ab7b214d0734a83cd6ee5f3e59902
-
SHA1
1cd356af0f80cced67dcd48219fa75b60c43703e
-
SHA256
82c8b9587010812d9847ab1acf7a7b843dde1feb5bc2f80cfe0791ed76c3d20e
-
SHA512
874df2fd360d5a58e912ee211306fd48c111faf2f31c3ef15e0b26b30ae23f39d4041103e7dc14c0705309dc076daa62a32ba9c6dd9d95c7f33cd414d20bafe2
-
SSDEEP
1536:qkmnpomddpMOtEvwDpjJGYQbN/PKwNgpwqWsviP1l:AnBdOOtEvwDpj6zl
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation 2024-11-09_192ab7b214d0734a83cd6ee5f3e59902_cryptolocker.exe -
Executes dropped EXE 1 IoCs
pid Process 3976 asih.exe -
resource yara_rule behavioral2/memory/2932-0-0x0000000000500000-0x000000000050F000-memory.dmp upx behavioral2/files/0x000c000000023b6e-13.dat upx behavioral2/memory/2932-16-0x0000000000500000-0x000000000050F000-memory.dmp upx behavioral2/memory/3976-26-0x0000000000500000-0x000000000050F000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-09_192ab7b214d0734a83cd6ee5f3e59902_cryptolocker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language asih.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2932 wrote to memory of 3976 2932 2024-11-09_192ab7b214d0734a83cd6ee5f3e59902_cryptolocker.exe 83 PID 2932 wrote to memory of 3976 2932 2024-11-09_192ab7b214d0734a83cd6ee5f3e59902_cryptolocker.exe 83 PID 2932 wrote to memory of 3976 2932 2024-11-09_192ab7b214d0734a83cd6ee5f3e59902_cryptolocker.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-11-09_192ab7b214d0734a83cd6ee5f3e59902_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-11-09_192ab7b214d0734a83cd6ee5f3e59902_cryptolocker.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Users\Admin\AppData\Local\Temp\asih.exe"C:\Users\Admin\AppData\Local\Temp\asih.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3976
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
102KB
MD5eda7810560b87103bac3a78b643cf5c1
SHA1725a4ef471fd3138501db8fe4b0b48e9a01b605a
SHA25624eb2a5fff433d44e7d9c40d4f233cd0f7eae67e296e0c118f79c27fb0eb9551
SHA512c2d1b9e933932ca3827c83121926cf8b936aa39bbc43e7a44d8704faae4bc4adb0127255b4a3189b49bc22f5c396b47d45b06f069abd215a208be411cfa3e187