Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 18:35
Behavioral task
behavioral1
Sample
2024-11-09_77281728af69a91d69f3adcb3dbf7cfd_cryptolocker.exe
Resource
win7-20241010-en
General
-
Target
2024-11-09_77281728af69a91d69f3adcb3dbf7cfd_cryptolocker.exe
-
Size
38KB
-
MD5
77281728af69a91d69f3adcb3dbf7cfd
-
SHA1
52450010a7b622712da5e12d369f1224a457c283
-
SHA256
7d8f4596fe96d608318d9f3c49edc85055f6eb26e46c538d6dc0b8765f715d9a
-
SHA512
4ded655a475e6597c1d274f581a52c9c28c93cbe5c9e98ca991ee31614628352bc6638071eea3acb3d205515235d3a67a74cc7500c26f68c914faa94f4dd9dab
-
SSDEEP
768:q7PdFecFS5agQtOOtEvwDpjeMLZdzuqpXsiE8Wq/DpkITElh:qDdFJy3QMOtEvwDpjjWMl7TE7
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation 2024-11-09_77281728af69a91d69f3adcb3dbf7cfd_cryptolocker.exe -
Executes dropped EXE 1 IoCs
pid Process 2292 asih.exe -
resource yara_rule behavioral2/memory/2612-0-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral2/files/0x0009000000023c94-13.dat upx behavioral2/memory/2612-17-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral2/memory/2292-26-0x0000000000500000-0x0000000000510000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-09_77281728af69a91d69f3adcb3dbf7cfd_cryptolocker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language asih.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2612 wrote to memory of 2292 2612 2024-11-09_77281728af69a91d69f3adcb3dbf7cfd_cryptolocker.exe 83 PID 2612 wrote to memory of 2292 2612 2024-11-09_77281728af69a91d69f3adcb3dbf7cfd_cryptolocker.exe 83 PID 2612 wrote to memory of 2292 2612 2024-11-09_77281728af69a91d69f3adcb3dbf7cfd_cryptolocker.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-11-09_77281728af69a91d69f3adcb3dbf7cfd_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-11-09_77281728af69a91d69f3adcb3dbf7cfd_cryptolocker.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Users\Admin\AppData\Local\Temp\asih.exe"C:\Users\Admin\AppData\Local\Temp\asih.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2292
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
38KB
MD5f6d13c957bdc1a942dae24b7634c54b5
SHA1cbd5180d6db8118cf4648e91ddc4900cd565ac4b
SHA25645fa7a2ddbf553006dc2175bd832cc6fbf7a907392660573509eafded2ee4f92
SHA5123199283c9478e93cc3aa545f463f54a515bd4a1772153930cd3dfe2a843e63c625132662ca7a7fff425963063d2641055487d516c95baf29ffef3299ff63faf7