955270ed7d858fee71453aec8d3388d11e119c196158a13f76bf6c5a964cac95

Analysis

max time kernel
68s
max time network
71s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
13/02/2023, 14:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

crocodile_clips3_5ing.exe
Size

1.8MB
MD5

02b4039499ee475b082a2d4c7c353980
SHA1

6f75c8d55afa10a3c60fc0889ae39d6e39b9b924
SHA256

955270ed7d858fee71453aec8d3388d11e119c196158a13f76bf6c5a964cac95
SHA512

f869345806165c911d61aa5ff906b6ff96185fbcadc98829a9b414786f6ff3c41d0557545c2933511b7ebb6829fd1e472e701060b75653ae5e4384fa43ea9982
SSDEEP

49152:5uPjUcc77+R/sdWLJmNWGf1CGr7Aeb8SQ2GZbf:5Gi7KRmr0Gr7A/STGZbf

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	crocodile_clips3_5ing.exe

Loads dropped DLL 1 IoCs

pid	Process
5008	crocodile_clips3_5ing.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\crocodile clips\crocodile clips 3_5ing\ejem_p_1\ACTI-1.CKT	crocodile_clips3_5ing.exe
File opened for modification	C:\Program Files (x86)\crocodile clips\crocodile clips 3_5ing\ejem_p_1\ACTI-28.CKT	crocodile_clips3_5ing.exe
File opened for modification	C:\Program Files (x86)\crocodile clips\crocodile clips 3_5ing\eje_al_1\ACTI-15.CKT	crocodile_clips3_5ing.exe
File opened for modification	C:\Program Files (x86)\crocodile clips\crocodile clips 3_5ing\WorkSheets\Waves\Vi0004.ckt	crocodile_clips3_5ing.exe
File opened for modification	C:\Program Files (x86)\crocodile clips\crocodile clips 3_5ing\EJEMPLOS\LOGIC.CKT	crocodile_clips3_5ing.exe
File opened for modification	C:\Program Files (x86)\crocodile clips\crocodile clips 3_5ing\EJEMPLOS\TRAFFIC.CKT	crocodile_clips3_5ing.exe
File opened for modification	C:\Program Files (x86)\crocodile clips\crocodile clips 3_5ing\ejem_a_1\DESTRU1.CKT	crocodile_clips3_5ing.exe
File created	C:\Program Files (x86)\crocodile clips\crocodile clips 3_5ing\ejem_a_1\ELEMANI1.CKT	crocodile_clips3_5ing.exe
File created	C:\Program Files (x86)\crocodile clips\crocodile clips 3_5ing\EJEMPLOS\ETAA_P61.CKT	crocodile_clips3_5ing.exe
File opened for modification	C:\Program Files (x86)\crocodile clips\crocodile clips 3_5ing\EJEMPLOS\Gravity.ckt	crocodile_clips3_5ing.exe
File opened for modification	C:\Program Files (x86)\crocodile clips\crocodile clips 3_5ing\EJEMPLOS\NOISE.CKT	crocodile_clips3_5ing.exe
File created	C:\Program Files (x86)\crocodile clips\crocodile clips 3_5ing\EJEMPLOS\RCDECAY.CKT	crocodile_clips3_5ing.exe
File opened for modification	C:\Program Files (x86)\crocodile clips\crocodile clips 3_5ing\EJEMPLOS\RECTIFY3.CKT	crocodile_clips3_5ing.exe
File opened for modification	C:\Program Files (x86)\crocodile clips\crocodile clips 3_5ing\ejem_a_1\ACTI-13.CKT	crocodile_clips3_5ing.exe
File opened for modification	C:\Program Files (x86)\crocodile clips\crocodile clips 3_5ing\ele_digi\Act_I1.ckt	crocodile_clips3_5ing.exe
File opened for modification	C:\Program Files (x86)\crocodile clips\crocodile clips 3_5ing\ele_digi\Bas4var.ckt	crocodile_clips3_5ing.exe
File opened for modification	C:\Program Files (x86)\crocodile clips\crocodile clips 3_5ing\Actividades diseno con crocodile\Depósito.ckt	crocodile_clips3_5ing.exe
File created	C:\Program Files (x86)\crocodile clips\crocodile clips 3_5ing\EJEMPLOS\555_MONO.CKT	crocodile_clips3_5ing.exe
File created	C:\Program Files (x86)\crocodile clips\crocodile clips 3_5ing\EJEMPLOS\ETAA\ETAA_P15.CKT	crocodile_clips3_5ing.exe
File opened for modification	C:\Program Files (x86)\crocodile clips\crocodile clips 3_5ing\EJEMPLOS\RECTIFY.CKT	crocodile_clips3_5ing.exe
File created	C:\Program Files (x86)\crocodile clips\crocodile clips 3_5ing\_DEISREG.ISR	crocodile_clips3_5ing.exe
File opened for modification	C:\Program Files (x86)\crocodile clips\crocodile clips 3_5ing\EJEMPLOS\TEP003.CKT	crocodile_clips3_5ing.exe
File opened for modification	C:\Program Files (x86)\crocodile clips\crocodile clips 3_5ing\ejem_a_1\Botones1.ckt	crocodile_clips3_5ing.exe
File created	C:\Program Files (x86)\crocodile clips\crocodile clips 3_5ing\WorkSheets\Dynamics\Dy0001.ckt	crocodile_clips3_5ing.exe
File opened for modification	C:\Program Files (x86)\crocodile clips\crocodile clips 3_5ing\WorkSheets\Transist\Tr0001.ckt	crocodile_clips3_5ing.exe
File opened for modification	C:\Program Files (x86)\crocodile clips\crocodile clips 3_5ing\eje_pr_1\ACTI-10.CKT	crocodile_clips3_5ing.exe
File created	C:\Program Files (x86)\crocodile clips\crocodile clips 3_5ing\WorkSheets\DC\Dc0001.ckt	crocodile_clips3_5ing.exe
File created	C:\Program Files (x86)\crocodile clips\crocodile clips 3_5ing\WorkSheets\Electric\El0001.ckt	crocodile_clips3_5ing.exe
File opened for modification	C:\Program Files (x86)\crocodile clips\crocodile clips 3_5ing\EJEMPLOS\CAR1.CKT	crocodile_clips3_5ing.exe
File created	C:\Program Files (x86)\crocodile clips\crocodile clips 3_5ing\EJEMPLOS\Coll_w1.ckt	crocodile_clips3_5ing.exe
File opened for modification	C:\Program Files (x86)\crocodile clips\crocodile clips 3_5ing\EJEMPLOS\OHMS_LAW.CKT	crocodile_clips3_5ing.exe
File created	C:\Program Files (x86)\crocodile clips\crocodile clips 3_5ing\EJEMPLOS\RECTIFY3.CKT	crocodile_clips3_5ing.exe
File created	C:\Program Files (x86)\crocodile clips\crocodile clips 3_5ing\EJEMPLOS\Coll_e2.ckt	crocodile_clips3_5ing.exe
File opened for modification	C:\Program Files (x86)\crocodile clips\crocodile clips 3_5ing\eje_pr_1\ACTI-18.CKT	crocodile_clips3_5ing.exe
File opened for modification	C:\Program Files (x86)\crocodile clips\crocodile clips 3_5ing\ele_digi\Act_I3_b.ckt	crocodile_clips3_5ing.exe
File opened for modification	C:\Program Files (x86)\crocodile clips\crocodile clips 3_5ing\Modelos actividades con crocodile\modact2.ckt	crocodile_clips3_5ing.exe
File opened for modification	C:\Program Files (x86)\crocodile clips\crocodile clips 3_5ing\_ISREG32.DLL	crocodile_clips3_5ing.exe
File created	C:\Program Files (x86)\crocodile clips\crocodile clips 3_5ing\EJEMPLOS\Cart2.ckt	crocodile_clips3_5ing.exe
File opened for modification	C:\Program Files (x86)\crocodile clips\crocodile clips 3_5ing\EJEMPLOS\RECTIFY2.CKT	crocodile_clips3_5ing.exe
File created	C:\Program Files (x86)\crocodile clips\crocodile clips 3_5ing\EJEMPLOS\SENSORS.CKT	crocodile_clips3_5ing.exe
File opened for modification	C:\Program Files (x86)\crocodile clips\crocodile clips 3_5ing\EJEMPLOS\TEP004.CKT	crocodile_clips3_5ing.exe
File created	C:\Program Files (x86)\crocodile clips\crocodile clips 3_5ing\Actividades diseno con crocodile\Riego1.ckt	crocodile_clips3_5ing.exe
File opened for modification	C:\Program Files (x86)\crocodile clips\crocodile clips 3_5ing\ejem_p_1\ACTI-20.CKT	crocodile_clips3_5ing.exe
File created	C:\Program Files (x86)\crocodile clips\crocodile clips 3_5ing\eje_al_1\ACTI-14.CKT	crocodile_clips3_5ing.exe
File created	C:\Program Files (x86)\crocodile clips\crocodile clips 3_5ing\ele_digi\Ejemplo2.ckt	crocodile_clips3_5ing.exe
File opened for modification	C:\Program Files (x86)\crocodile clips\crocodile clips 3_5ing\eje_pr_1\ACTI-4.CKT	crocodile_clips3_5ing.exe
File created	C:\Program Files (x86)\crocodile clips\crocodile clips 3_5ing\WorkSheets\AC\Ac0002.ckt	crocodile_clips3_5ing.exe
File created	C:\Program Files (x86)\crocodile clips\crocodile clips 3_5ing\WorkSheets\Dynamics\Dy0002.ckt	crocodile_clips3_5ing.exe
File created	C:\Program Files (x86)\crocodile clips\crocodile clips 3_5ing\ejem_a_1\OSCILOS2.CKT	crocodile_clips3_5ing.exe
File opened for modification	C:\Program Files (x86)\crocodile clips\crocodile clips 3_5ing\ejem_a_1\SALPAS1.CKT	crocodile_clips3_5ing.exe
File created	C:\Program Files (x86)\crocodile clips\crocodile clips 3_5ing\EJEMPLOS\CAR1.CKT	crocodile_clips3_5ing.exe
File opened for modification	C:\Program Files (x86)\crocodile clips\crocodile clips 3_5ing\EJEMPLOS\Cart1.ckt	crocodile_clips3_5ing.exe
File opened for modification	C:\Program Files (x86)\crocodile clips\crocodile clips 3_5ing\EJEMPLOS\ETAA\ETAA_P49.CKT	crocodile_clips3_5ing.exe
File created	C:\Program Files (x86)\crocodile clips\crocodile clips 3_5ing\EJEMPLOS\ETAA\ETAA_P69.CKT	crocodile_clips3_5ing.exe
File created	C:\Program Files (x86)\crocodile clips\crocodile clips 3_5ing\ejem_p_1\ACTI-21.CKT	crocodile_clips3_5ing.exe
File created	C:\Program Files (x86)\crocodile clips\crocodile clips 3_5ing\eje_al_1\ELEMANI1.CKT	crocodile_clips3_5ing.exe
File created	C:\Program Files (x86)\crocodile clips\crocodile clips 3_5ing\eje_al_1\tasaosci.ckt	crocodile_clips3_5ing.exe
File opened for modification	C:\Program Files (x86)\crocodile clips\crocodile clips 3_5ing\eje_pr_1\ACTI-6.CKT	crocodile_clips3_5ing.exe
File created	C:\Program Files (x86)\crocodile clips\crocodile clips 3_5ing\EJEMPLOS\Coll_w3.ckt	crocodile_clips3_5ing.exe
File opened for modification	C:\Program Files (x86)\crocodile clips\crocodile clips 3_5ing\eje_al_1\ACTI-23.CKT	crocodile_clips3_5ing.exe
File created	C:\Program Files (x86)\crocodile clips\crocodile clips 3_5ing\WorkSheets\Electric\El0003.ckt	crocodile_clips3_5ing.exe
File created	C:\Program Files (x86)\crocodile clips\crocodile clips 3_5ing\WorkSheets\Waves\Vi0003.ckt	crocodile_clips3_5ing.exe
File opened for modification	C:\Program Files (x86)\crocodile clips\crocodile clips 3_5ing\ejem_p_1\ACTI-27.CKT	crocodile_clips3_5ing.exe
File created	C:\Program Files (x86)\crocodile clips\crocodile clips 3_5ing\ejem_p_1\ACTI-5.CKT	crocodile_clips3_5ing.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	crocodile_clips3_5ing.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5008 wrote to memory of 2088	5008	crocodile_clips3_5ing.exe	91
PID 5008 wrote to memory of 2088	5008	crocodile_clips3_5ing.exe	91
PID 5008 wrote to memory of 2088	5008	crocodile_clips3_5ing.exe	91

C:\Users\Admin\AppData\Local\Temp\crocodile_clips3_5ing.exe
"C:\Users\Admin\AppData\Local\Temp\crocodile_clips3_5ing.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5008
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files (x86)\crocodile clips\crocodile clips 3_5ing\Leeme.txt
  2⤵
  PID:2088

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1440

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\crocodile clips\crocodile clips 3_5ing\Leeme.txt

Filesize
1KB

MD5
c8ba017229ea71b26a7fe8ee374d33a4

SHA1
0582355b75c76493ff68b5ab33b504a960fb5a5e

SHA256
8015fe744068d018d1fe8a69a03b51c1b8c3d0a801d591ed2b70ad82d5b6392b

SHA512
d363e6d4ffe8ed6ab341b57de9295c1708a5b18ba73b9b8934576e5a1c8e98e604d36408a2f2f44d793e53da60e047c2f2657cfe92e1394aeb23ce9985c17a40

Download Submit
C:\ginstall.dll

Filesize
55KB

MD5
242089d713b2ac02b1f81ae0e8faa25d

SHA1
916bb90b3e56baea585d81c3716c601283a1bde4

SHA256
5c8143f72a8b83c01c2f17e981cd1756ef8223c92c0be47a06bfcd28a0ec1479

SHA512
d978d6ed6dec843d4266c6f6707798311c72391a0e10164d38d391befc3e54e2ddf1097ef9d5d590adcfe76bb21cebf80da62d2a6a46087c38c606015b41cc3b

Download Submit