Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10/11/2024, 06:54
Behavioral task
behavioral1
Sample
2024-11-10_f41e7fdc67c790ad153b34139919681a_cryptolocker.exe
Resource
win7-20241010-en
General
-
Target
2024-11-10_f41e7fdc67c790ad153b34139919681a_cryptolocker.exe
-
Size
96KB
-
MD5
f41e7fdc67c790ad153b34139919681a
-
SHA1
cf057b5bc50d1dd42c7da435867d34e966cd8416
-
SHA256
648c3627d2187bdcf2995c98cd147b2640783aa61860526c09691f93da570541
-
SHA512
7183104f1da570fed5084cbdb9c316d0133db8f90893f66be3dfcdfbdd8bddba566c285aff565afa7f01e94f38750951bc29f856b44e8da825be6503028c1e8b
-
SSDEEP
1536:qkmnpomddpMOtEvwDpjJGYQbN/PKwNgp0+Yq:AnBdOOtEvwDpj6z4
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation 2024-11-10_f41e7fdc67c790ad153b34139919681a_cryptolocker.exe -
Executes dropped EXE 1 IoCs
pid Process 4828 asih.exe -
resource yara_rule behavioral2/memory/2424-0-0x0000000000500000-0x000000000050F000-memory.dmp upx behavioral2/files/0x000c000000023b9b-13.dat upx behavioral2/memory/2424-18-0x0000000000500000-0x000000000050F000-memory.dmp upx behavioral2/memory/4828-27-0x0000000000500000-0x000000000050F000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-10_f41e7fdc67c790ad153b34139919681a_cryptolocker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language asih.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2424 wrote to memory of 4828 2424 2024-11-10_f41e7fdc67c790ad153b34139919681a_cryptolocker.exe 85 PID 2424 wrote to memory of 4828 2424 2024-11-10_f41e7fdc67c790ad153b34139919681a_cryptolocker.exe 85 PID 2424 wrote to memory of 4828 2424 2024-11-10_f41e7fdc67c790ad153b34139919681a_cryptolocker.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-11-10_f41e7fdc67c790ad153b34139919681a_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-11-10_f41e7fdc67c790ad153b34139919681a_cryptolocker.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Users\Admin\AppData\Local\Temp\asih.exe"C:\Users\Admin\AppData\Local\Temp\asih.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4828
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD50dbdc511560bf70aa445cd75c509a997
SHA1b759fa5ee54fc7ef034ff05ccce828a6665d3c48
SHA256cc5c1ac4f7c56ba731d60edf4cebea65978b6e7cda224765916622bdd96d546a
SHA512080c0e0fee2b316a346d73129baeeb44c16ffc85719c36748e91bad781388f1bb07f4b48c077102d1422a198cdf24d100a21f4a7dc6d4c0edf3b3c8e027915a1