Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 18:39
Behavioral task
behavioral1
Sample
2024-11-09_856b40d3570b6e5c732eeb5e85e70f0a_cryptolocker.exe
Resource
win7-20241010-en
General
-
Target
2024-11-09_856b40d3570b6e5c732eeb5e85e70f0a_cryptolocker.exe
-
Size
37KB
-
MD5
856b40d3570b6e5c732eeb5e85e70f0a
-
SHA1
2d4ec5c1674f0c96fa7bde039589e33750e421a8
-
SHA256
5d98071135227b0f1cee8e1ffafbbc70148ec2ce67b97ea08000f3b9b0289b7a
-
SHA512
5dff3b7dcd38e0471e01e818a484d1bea9529cf7f40428f2d159799debf2c86b3846cfce9210a6da50421ca98c8a22854dae136fbc08bad8603a3a7b1e99e792
-
SSDEEP
768:q7PdFecFS5agQtOOtEvwDpjeMLZdzuqpXsiE8Wq/DpkIT6r:qDdFJy3QMOtEvwDpjjWMl7T6r
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 2024-11-09_856b40d3570b6e5c732eeb5e85e70f0a_cryptolocker.exe -
Executes dropped EXE 1 IoCs
pid Process 2964 asih.exe -
resource yara_rule behavioral2/memory/956-0-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral2/files/0x000a000000023c0f-13.dat upx behavioral2/memory/956-18-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral2/memory/2964-26-0x0000000000500000-0x0000000000510000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-09_856b40d3570b6e5c732eeb5e85e70f0a_cryptolocker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language asih.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 956 wrote to memory of 2964 956 2024-11-09_856b40d3570b6e5c732eeb5e85e70f0a_cryptolocker.exe 85 PID 956 wrote to memory of 2964 956 2024-11-09_856b40d3570b6e5c732eeb5e85e70f0a_cryptolocker.exe 85 PID 956 wrote to memory of 2964 956 2024-11-09_856b40d3570b6e5c732eeb5e85e70f0a_cryptolocker.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-11-09_856b40d3570b6e5c732eeb5e85e70f0a_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-11-09_856b40d3570b6e5c732eeb5e85e70f0a_cryptolocker.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Users\Admin\AppData\Local\Temp\asih.exe"C:\Users\Admin\AppData\Local\Temp\asih.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2964
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
37KB
MD57791cb0245dd7033123f4b9257171957
SHA169b083e578638afcfb41a8368cba464dcbf3f870
SHA256096dadec574232f58a2814ca019ebe34599fde3801601aab44eade4c26c30c34
SHA512b5a87bc9db4679603a60b2e691f64f2f0250a8ee175c0ee28745b48d29c396f1b3c91422731b2f04e48a472eb44af9f6ca8d0d3cbba5f3f65c316082e82658c3