cc874fd99203d21926ec3af8007a35c2e9e35a452a5c301f8e22251bbffb1f35

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
07-01-2024 12:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-06_544f41b36f1f3223ea348a8b807958d7_cryptolocker.exe
Size

55KB
MD5

544f41b36f1f3223ea348a8b807958d7
SHA1

09c09a3ca5eceedde86a73b1709e250b91140330
SHA256

cc874fd99203d21926ec3af8007a35c2e9e35a452a5c301f8e22251bbffb1f35
SHA512

4f4e0377ff4c055b5551c2e6acf504253a53f71305c252e38fdfa456a37282044036f8b22f8c63a766e3ac80b690cc4b8f6765369e93a92eefe2279b42dc5efc
SSDEEP

768:z6LsoEEeegiZPvEhHSG+gzum/kLyMro2GtOOtEvwDpj/YMLam5axzY22m:z6QFElP6n+gKmddpMOtEvwDpj9aYalv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	2024-01-06_544f41b36f1f3223ea348a8b807958d7_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
1680	asih.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5040-0-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/files/0x000300000001f45f-13.dat	upx
behavioral2/memory/5040-18-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/1680-19-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/1680-27-0x0000000000500000-0x0000000000510000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5040 wrote to memory of 1680	5040	2024-01-06_544f41b36f1f3223ea348a8b807958d7_cryptolocker.exe	25
PID 5040 wrote to memory of 1680	5040	2024-01-06_544f41b36f1f3223ea348a8b807958d7_cryptolocker.exe	25
PID 5040 wrote to memory of 1680	5040	2024-01-06_544f41b36f1f3223ea348a8b807958d7_cryptolocker.exe	25

C:\Users\Admin\AppData\Local\Temp\2024-01-06_544f41b36f1f3223ea348a8b807958d7_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-06_544f41b36f1f3223ea348a8b807958d7_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5040
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:1680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
55KB

MD5
6b131f7182018842180444233f42d16b

SHA1
3b3eb5c452368f52a24b2574278420168d94ffb1

SHA256
7f2cdd58afd5adbe1b1299c8a7a5bf2bd82e6b05d433629dcca25b3602553131

SHA512
c8a11ecc308c559203f40760e4a190a347f657c03245b5bd68e66e479c9f4b5d110fed536e5f391b512bd8974635f1fa84ac98ccb85ae1c392179b6c0e970674

Download Submit
memory/1680-20-0x0000000000660000-0x0000000000666000-memory.dmp

Filesize
24KB

Download
memory/1680-21-0x0000000002070000-0x0000000002076000-memory.dmp

Filesize
24KB

Download
memory/1680-19-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/1680-27-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/5040-0-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/5040-3-0x00000000021B0000-0x00000000021B6000-memory.dmp

Filesize
24KB

Download
memory/5040-2-0x00000000005F0000-0x00000000005F6000-memory.dmp

Filesize
24KB

Download
memory/5040-18-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/5040-1-0x00000000005F0000-0x00000000005F6000-memory.dmp

Filesize
24KB

Download