66d19de3e2534e755c13f02e1a70a6ffc44a6c1488a6e2aa4aa7452485bc67a2

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 06:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-19_48c69bff7c442dd1258111e020fd7693_cryptolocker.exe
Size

96KB
MD5

48c69bff7c442dd1258111e020fd7693
SHA1

0645e62d8c847c8cfd6a19bf259fe459a6ea75bf
SHA256

66d19de3e2534e755c13f02e1a70a6ffc44a6c1488a6e2aa4aa7452485bc67a2
SHA512

6c818a23252d58d8a57f7dac9e9cfbdbe567b15cc2ee9a910d9a542089a5a8b7854f93d7031440700781ac1143c2855744f1e67446cd4e727421596e0ae5d8da
SSDEEP

1536:qkmnpomddpMOtEvwDpjJGYQbN/PKwNgp0+YS:AnBdOOtEvwDpj6zA

Score

7^/10

discovery upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	2024-09-19_48c69bff7c442dd1258111e020fd7693_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
4732	asih.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/736-0-0x0000000000500000-0x000000000050F000-memory.dmp	upx
behavioral2/files/0x00080000000234fa-13.dat	upx
behavioral2/memory/736-18-0x0000000000500000-0x000000000050F000-memory.dmp	upx
behavioral2/memory/4732-27-0x0000000000500000-0x000000000050F000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-19_48c69bff7c442dd1258111e020fd7693_cryptolocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	asih.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 736 wrote to memory of 4732	736	2024-09-19_48c69bff7c442dd1258111e020fd7693_cryptolocker.exe	82
PID 736 wrote to memory of 4732	736	2024-09-19_48c69bff7c442dd1258111e020fd7693_cryptolocker.exe	82
PID 736 wrote to memory of 4732	736	2024-09-19_48c69bff7c442dd1258111e020fd7693_cryptolocker.exe	82

C:\Users\Admin\AppData\Local\Temp\2024-09-19_48c69bff7c442dd1258111e020fd7693_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-19_48c69bff7c442dd1258111e020fd7693_cryptolocker.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:736
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
96KB

MD5
fdbe77f9f1b50f8ae14577a11fbb1d31

SHA1
dfa680a35829fcbfbfffd4432a8d1065d5df0cb9

SHA256
c1a12fbfcd4d51ff956b0b2282be5748c76f8113285f2b8c9f70d982ba63af40

SHA512
16cb294f0cd024196e173db8c643368dfb75cee87d4c5de3c65975283f0ad98a2125b46f0372225914d15f767ecae97987fa7ec899278a268e9889d9331dc23a

Download Submit
memory/736-0-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/736-1-0x00000000005B0000-0x00000000005B6000-memory.dmp

Filesize
24KB

Download
memory/736-2-0x00000000005B0000-0x00000000005B6000-memory.dmp

Filesize
24KB

Download
memory/736-3-0x00000000005D0000-0x00000000005D6000-memory.dmp

Filesize
24KB

Download
memory/736-18-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/4732-21-0x00000000006C0000-0x00000000006C6000-memory.dmp

Filesize
24KB

Download
memory/4732-20-0x00000000006A0000-0x00000000006A6000-memory.dmp

Filesize
24KB

Download
memory/4732-27-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download