0c56c98ceaaa9dfda7c8cc821595b3809896d7832d912070c73bb0287d9b3b09

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 04:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-19_0f1c78526b367bd1be25bc28bd34c54a_cryptolocker.exe
Size

70KB
MD5

0f1c78526b367bd1be25bc28bd34c54a
SHA1

2c76133801c102a52296611dded5baa550add02b
SHA256

0c56c98ceaaa9dfda7c8cc821595b3809896d7832d912070c73bb0287d9b3b09
SHA512

bd306fe139042575907e5532f292702bc5654bfd05d1bdc359c801f04de307be6927b012b546aa403c828bce386b7cb7b2ace157a1b2e5bd549b42425d4705fd
SSDEEP

1536:quJu9cvMOtEvwDpjWYTjipvF2bx1PQAeG:78SEOtEvwDpjWYvQd2Pv

Score

7^/10

discovery upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	2024-09-19_0f1c78526b367bd1be25bc28bd34c54a_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
3128	asih.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4728-0-0x0000000000500000-0x000000000050F000-memory.dmp	upx
behavioral2/files/0x0008000000023470-13.dat	upx
behavioral2/memory/4728-18-0x0000000000500000-0x000000000050F000-memory.dmp	upx
behavioral2/memory/3128-27-0x0000000000500000-0x000000000050F000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-19_0f1c78526b367bd1be25bc28bd34c54a_cryptolocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	asih.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4728 wrote to memory of 3128	4728	2024-09-19_0f1c78526b367bd1be25bc28bd34c54a_cryptolocker.exe	84
PID 4728 wrote to memory of 3128	4728	2024-09-19_0f1c78526b367bd1be25bc28bd34c54a_cryptolocker.exe	84
PID 4728 wrote to memory of 3128	4728	2024-09-19_0f1c78526b367bd1be25bc28bd34c54a_cryptolocker.exe	84

C:\Users\Admin\AppData\Local\Temp\2024-09-19_0f1c78526b367bd1be25bc28bd34c54a_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-19_0f1c78526b367bd1be25bc28bd34c54a_cryptolocker.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4728
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
70KB

MD5
cd938714ba1aca2505a1e46784b760a5

SHA1
b5db9301a28786de51d23ca209537d18788c03d1

SHA256
1a086f452ed8adfedc593071f4866af9172e779307fedc61639c7b69365fe4db

SHA512
658298a483328aa076bca24077c7bd9ce61a181f85a13563e074d4b743fc1cde133114759e6948b94bfe98cf61b80cb48a7aa296486fb777151113cfc8b4cf19

Download Submit
memory/3128-20-0x0000000001FD0000-0x0000000001FD6000-memory.dmp

Filesize
24KB

Download
memory/3128-21-0x0000000002100000-0x0000000002106000-memory.dmp

Filesize
24KB

Download
memory/3128-27-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/4728-0-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/4728-1-0x0000000000600000-0x0000000000606000-memory.dmp

Filesize
24KB

Download
memory/4728-2-0x0000000000600000-0x0000000000606000-memory.dmp

Filesize
24KB

Download
memory/4728-3-0x00000000021C0000-0x00000000021C6000-memory.dmp

Filesize
24KB

Download
memory/4728-18-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download