946eb4c391e460cc23fa77a9e401e55a684562debc7c9b5b7dd889886186d698

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
10/01/2024, 05:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-01-09_1144984e18f7b20403235fd3ae3e57c6_cryptolocker.exe
Size

106KB
MD5

1144984e18f7b20403235fd3ae3e57c6
SHA1

ea529de7352933b13265db6decc54a636d824279
SHA256

946eb4c391e460cc23fa77a9e401e55a684562debc7c9b5b7dd889886186d698
SHA512

1fe6eab427c378461aa96cfbdf054ce72efa366cb09628f760d4a5803d7c4b2c136884f0a590d3e21e4b4c33b96f49f028c88491add9d015d708d38392a0614d
SSDEEP

1536:P8mnK6QFElP6n+gymddpMOtEvwDpjIHsalRn5iF1j6GksgER:1nK6a+qdOOtEvwDpjv

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	2024-01-09_1144984e18f7b20403235fd3ae3e57c6_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
2380	asih.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3952-0-0x0000000000500000-0x000000000050F311-memory.dmp	upx
behavioral2/files/0x000400000001e96f-13.dat	upx
behavioral2/memory/3952-19-0x0000000000500000-0x000000000050F311-memory.dmp	upx
behavioral2/memory/2380-17-0x0000000000500000-0x000000000050F311-memory.dmp	upx
behavioral2/files/0x000400000001e96f-16.dat	upx
behavioral2/files/0x000400000001e96f-15.dat	upx
behavioral2/memory/2380-27-0x0000000000500000-0x000000000050F311-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3952 wrote to memory of 2380	3952	2024-01-09_1144984e18f7b20403235fd3ae3e57c6_cryptolocker.exe	22
PID 3952 wrote to memory of 2380	3952	2024-01-09_1144984e18f7b20403235fd3ae3e57c6_cryptolocker.exe	22
PID 3952 wrote to memory of 2380	3952	2024-01-09_1144984e18f7b20403235fd3ae3e57c6_cryptolocker.exe	22

C:\Users\Admin\AppData\Local\Temp\2024-01-09_1144984e18f7b20403235fd3ae3e57c6_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-09_1144984e18f7b20403235fd3ae3e57c6_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3952
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:2380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
85KB

MD5
ecb928a9086640c6a5515de3c0e0fffd

SHA1
dcf72a5daf81b925b7e855792a99463cb9dd623c

SHA256
24837542eb9be8b303c100e7eda45c5a925b73ea497f70ec49347f4e3c371c55

SHA512
ef28e9666f09c5d79581f810f2ead22abeac6b647f17af78405abc2d6d98915f6af635d625ba3628f721484e7c200c4f4ee797bc1a440cd09d364b1e440a72db

Download Submit
C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
26KB

MD5
2b401d39c6fc134194b49967f0ba4572

SHA1
bfa1d16519564e2a867d2d7b6894d371958f7f70

SHA256
55dc558808cb8a809141b83d9c06074479456d69062c3d5ac729e008caeae9aa

SHA512
52134924786924a212d4772b7987bccf8edd22d33a66ff80a7a13c7e109094bc0ade234d0b931f8815d5403a097905e0b6969cf44bf55c1a7035922fe7cd0e04

Download Submit
C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
57KB

MD5
a6dce022edda6b3f859b97d3c435f636

SHA1
d360e7fffa5dc88bccc6fe563a752fc94049280e

SHA256
6b0e89c6b25e060fb4f579e7b66f02eac4feee3229594fe1ee8358482e745b45

SHA512
1d97e621749386e392a63ea1ada08a71fb7c8e57faaac8b2c04d204f003dfa9c068224c4a2936caa7a7269222c906fe5feabfd4b9c8e179421d2ec09c98c3ac5

Download Submit
memory/2380-20-0x0000000001F70000-0x0000000001F76000-memory.dmp

Filesize
24KB

Download
memory/2380-26-0x0000000001F50000-0x0000000001F56000-memory.dmp

Filesize
24KB

Download
memory/2380-17-0x0000000000500000-0x000000000050F311-memory.dmp

Filesize
60KB

Download
memory/2380-27-0x0000000000500000-0x000000000050F311-memory.dmp

Filesize
60KB

Download
memory/3952-0-0x0000000000500000-0x000000000050F311-memory.dmp

Filesize
60KB

Download
memory/3952-2-0x00000000005E0000-0x00000000005E6000-memory.dmp

Filesize
24KB

Download
memory/3952-3-0x0000000000600000-0x0000000000606000-memory.dmp

Filesize
24KB

Download
memory/3952-1-0x00000000005E0000-0x00000000005E6000-memory.dmp

Filesize
24KB

Download
memory/3952-19-0x0000000000500000-0x000000000050F311-memory.dmp

Filesize
60KB

Download