e184fe7c7217f497451685e42b19b8780d358f479c9b262741b96b2af58c8294

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 04:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-19_1897668f3d70f5ae0ff0cde9dc7180fe_cryptolocker.exe
Size

96KB
MD5

1897668f3d70f5ae0ff0cde9dc7180fe
SHA1

8346ebc0948d38a644b0b4f3882db08a893139a7
SHA256

e184fe7c7217f497451685e42b19b8780d358f479c9b262741b96b2af58c8294
SHA512

1f4e33fef316ffdeca10922cc76f0175a794267151d4caffc4b33ff2182cdddd0f159a1b5dd61b566d0d8f1d7ad9f0f50db1e1f36f1564e5833045c085726cea
SSDEEP

1536:qkmnpomddpMOtEvwDpjJGYQbN/PKwNgpwqWsviPvr:AnBdOOtEvwDpj6z1r

Score

7^/10

discovery upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	2024-09-19_1897668f3d70f5ae0ff0cde9dc7180fe_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
2368	asih.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2208-0-0x0000000000500000-0x000000000050F000-memory.dmp	upx
behavioral2/files/0x00080000000233c9-13.dat	upx
behavioral2/memory/2208-18-0x0000000000500000-0x000000000050F000-memory.dmp	upx
behavioral2/memory/2368-27-0x0000000000500000-0x000000000050F000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-19_1897668f3d70f5ae0ff0cde9dc7180fe_cryptolocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	asih.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 2368	2208	2024-09-19_1897668f3d70f5ae0ff0cde9dc7180fe_cryptolocker.exe	84
PID 2208 wrote to memory of 2368	2208	2024-09-19_1897668f3d70f5ae0ff0cde9dc7180fe_cryptolocker.exe	84
PID 2208 wrote to memory of 2368	2208	2024-09-19_1897668f3d70f5ae0ff0cde9dc7180fe_cryptolocker.exe	84

C:\Users\Admin\AppData\Local\Temp\2024-09-19_1897668f3d70f5ae0ff0cde9dc7180fe_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-19_1897668f3d70f5ae0ff0cde9dc7180fe_cryptolocker.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
96KB

MD5
14d935b3d4a1cc1df7d7b4ae2af4f7d4

SHA1
a512e5b09a9f6cb4ad8818bc58281b23644614dc

SHA256
dd1db0760172d9ba5ab5629bacb0620bd86c89843f0f144ff580358bee1b633b

SHA512
9c6e0bb3ee48c426ae4b1d40bf92af025fcd6063d9479afacc33cda8dab51e73f845038c0a2e2c69bef3870546bc029cb74fdda0de82cae735ae4b39842d2ca9

Download Submit
memory/2208-0-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/2208-1-0x00000000005E0000-0x00000000005E6000-memory.dmp

Filesize
24KB

Download
memory/2208-2-0x00000000005E0000-0x00000000005E6000-memory.dmp

Filesize
24KB

Download
memory/2208-3-0x0000000000600000-0x0000000000606000-memory.dmp

Filesize
24KB

Download
memory/2208-18-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/2368-20-0x0000000000670000-0x0000000000676000-memory.dmp

Filesize
24KB

Download
memory/2368-21-0x0000000002000000-0x0000000002006000-memory.dmp

Filesize
24KB

Download
memory/2368-27-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download