01595cad539d2d866cef1dd31aae1fbcbfd14dd45dfdf1f8bca493c67408b0bc

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
30/08/2023, 17:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e7abfef2fca2e65876ca6e98a7ba0fad_cryptolocker_JC.exe
Size

107KB
MD5

e7abfef2fca2e65876ca6e98a7ba0fad
SHA1

0d96075b95363c7fdd9d100edc8a0c2173464eb3
SHA256

01595cad539d2d866cef1dd31aae1fbcbfd14dd45dfdf1f8bca493c67408b0bc
SHA512

b71f611ae7074446c622c93e2fa3eaa60a731bd0b9e51dca931b64fc5a9f0b711bba57abe8e97088878b973254532157d5908e9ccd513fb432aa000e0f69f756
SSDEEP

1536:z6QFElP6n+gKmddpMOtEvwDpj3GYQbN/PKwNCK:z6a+CdOOtEvwDpjcz1

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\Control Panel\International\Geo\Nation	e7abfef2fca2e65876ca6e98a7ba0fad_cryptolocker_JC.exe

Executes dropped EXE 1 IoCs

pid	Process
3448	asih.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1792-0-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/files/0x00070000000231ea-13.dat	upx
behavioral2/files/0x00070000000231ea-16.dat	upx
behavioral2/files/0x00070000000231ea-15.dat	upx
behavioral2/memory/3448-17-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/1792-18-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/3448-27-0x0000000000500000-0x0000000000510000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1792 wrote to memory of 3448	1792	e7abfef2fca2e65876ca6e98a7ba0fad_cryptolocker_JC.exe	80
PID 1792 wrote to memory of 3448	1792	e7abfef2fca2e65876ca6e98a7ba0fad_cryptolocker_JC.exe	80
PID 1792 wrote to memory of 3448	1792	e7abfef2fca2e65876ca6e98a7ba0fad_cryptolocker_JC.exe	80

C:\Users\Admin\AppData\Local\Temp\e7abfef2fca2e65876ca6e98a7ba0fad_cryptolocker_JC.exe
"C:\Users\Admin\AppData\Local\Temp\e7abfef2fca2e65876ca6e98a7ba0fad_cryptolocker_JC.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1792
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:3448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
107KB

MD5
73026cb8130b19bc4d4187fe4747e3d0

SHA1
d78e36525f862f9f1f16279aee20749e0264c594

SHA256
44c50a4b0455ac99a5e77c70d61272aadbc5d23fda368eba90a7dc9e6d826425

SHA512
aae3a2c4f284209eca033145325f23c51bc9b2c4c14f84011fad285dc266af9d4cf6661ea3bd460bc311e04378692417582a397cca358d95b7ea37fe86be93af

Download Submit
C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
107KB

MD5
73026cb8130b19bc4d4187fe4747e3d0

SHA1
d78e36525f862f9f1f16279aee20749e0264c594

SHA256
44c50a4b0455ac99a5e77c70d61272aadbc5d23fda368eba90a7dc9e6d826425

SHA512
aae3a2c4f284209eca033145325f23c51bc9b2c4c14f84011fad285dc266af9d4cf6661ea3bd460bc311e04378692417582a397cca358d95b7ea37fe86be93af

Download Submit
C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
107KB

MD5
73026cb8130b19bc4d4187fe4747e3d0

SHA1
d78e36525f862f9f1f16279aee20749e0264c594

SHA256
44c50a4b0455ac99a5e77c70d61272aadbc5d23fda368eba90a7dc9e6d826425

SHA512
aae3a2c4f284209eca033145325f23c51bc9b2c4c14f84011fad285dc266af9d4cf6661ea3bd460bc311e04378692417582a397cca358d95b7ea37fe86be93af

Download Submit
memory/1792-0-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/1792-1-0x0000000000670000-0x0000000000676000-memory.dmp

Filesize
24KB

Download
memory/1792-2-0x0000000000670000-0x0000000000676000-memory.dmp

Filesize
24KB

Download
memory/1792-3-0x00000000020F0000-0x00000000020F6000-memory.dmp

Filesize
24KB

Download
memory/1792-18-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/3448-17-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/3448-20-0x00000000004F0000-0x00000000004F6000-memory.dmp

Filesize
24KB

Download
memory/3448-21-0x00000000004D0000-0x00000000004D6000-memory.dmp

Filesize
24KB

Download
memory/3448-27-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download