692cff19f1e7c95e5b69f3b935a682860b45cb858f7cefdcbe2ad9f8f52537b9

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2023, 19:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-08-27_5b1a700479c2ac1fb011a4d435a4f9bd_cryptolocker_JC.exe
Size

124KB
MD5

5b1a700479c2ac1fb011a4d435a4f9bd
SHA1

929726ea99d4aa633518e093cadb0f31c746761a
SHA256

692cff19f1e7c95e5b69f3b935a682860b45cb858f7cefdcbe2ad9f8f52537b9
SHA512

0511aaa3cb797dd33028fc6153ab1a535e5155c782330b095ba13fa87df0a64d2e72820b5c55d1b900533edf76135d5ddd210c6602ba02e9d2a9ce9d4a2a26e7
SSDEEP

1536:qkmnpomddpMOtEvwDpjJGYQbN/PKwNgp699GNtL1eqZ:AnBdOOtEvwDpj6zM

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	2023-08-27_5b1a700479c2ac1fb011a4d435a4f9bd_cryptolocker_JC.exe

Executes dropped EXE 1 IoCs

pid	Process
3564	asih.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4380-0-0x0000000000500000-0x000000000050F000-memory.dmp	upx
behavioral2/files/0x0007000000023229-13.dat	upx
behavioral2/files/0x0007000000023229-15.dat	upx
behavioral2/files/0x0007000000023229-16.dat	upx
behavioral2/memory/4380-17-0x0000000000500000-0x000000000050F000-memory.dmp	upx
behavioral2/memory/3564-26-0x0000000000500000-0x000000000050F000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4380 wrote to memory of 3564	4380	2023-08-27_5b1a700479c2ac1fb011a4d435a4f9bd_cryptolocker_JC.exe	82
PID 4380 wrote to memory of 3564	4380	2023-08-27_5b1a700479c2ac1fb011a4d435a4f9bd_cryptolocker_JC.exe	82
PID 4380 wrote to memory of 3564	4380	2023-08-27_5b1a700479c2ac1fb011a4d435a4f9bd_cryptolocker_JC.exe	82

C:\Users\Admin\AppData\Local\Temp\2023-08-27_5b1a700479c2ac1fb011a4d435a4f9bd_cryptolocker_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-27_5b1a700479c2ac1fb011a4d435a4f9bd_cryptolocker_JC.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4380
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:3564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
124KB

MD5
22c517c269e8044f89e809ac11648b46

SHA1
ac5c21ac8923ce7a0e9f1f9eda15b53726d0e069

SHA256
d5564fb66b120cec5e98218b182187c3af6e82b15cba29c182c4d1a0d93629c4

SHA512
8d735dcf6229a71bd179222253a3c5fc394c7935a2aadc55bda369e7116990a603c0e621aa6cc8280c6d1556f0a961eb32723285b8786a7d1f042a0763a14a94

Download Submit
C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
124KB

MD5
22c517c269e8044f89e809ac11648b46

SHA1
ac5c21ac8923ce7a0e9f1f9eda15b53726d0e069

SHA256
d5564fb66b120cec5e98218b182187c3af6e82b15cba29c182c4d1a0d93629c4

SHA512
8d735dcf6229a71bd179222253a3c5fc394c7935a2aadc55bda369e7116990a603c0e621aa6cc8280c6d1556f0a961eb32723285b8786a7d1f042a0763a14a94

Download Submit
C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
124KB

MD5
22c517c269e8044f89e809ac11648b46

SHA1
ac5c21ac8923ce7a0e9f1f9eda15b53726d0e069

SHA256
d5564fb66b120cec5e98218b182187c3af6e82b15cba29c182c4d1a0d93629c4

SHA512
8d735dcf6229a71bd179222253a3c5fc394c7935a2aadc55bda369e7116990a603c0e621aa6cc8280c6d1556f0a961eb32723285b8786a7d1f042a0763a14a94

Download Submit
memory/3564-20-0x0000000002150000-0x0000000002156000-memory.dmp

Filesize
24KB

Download
memory/3564-19-0x0000000002070000-0x0000000002076000-memory.dmp

Filesize
24KB

Download
memory/3564-26-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/4380-0-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/4380-1-0x00000000006C0000-0x00000000006C6000-memory.dmp

Filesize
24KB

Download
memory/4380-2-0x00000000006C0000-0x00000000006C6000-memory.dmp

Filesize
24KB

Download
memory/4380-3-0x00000000007F0000-0x00000000007F6000-memory.dmp

Filesize
24KB

Download
memory/4380-17-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download