ea891f259b040a6efa59d4f3eb4b41ab4cb2ada65ce5c00bfc5f1a6dee71d956

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25-09-2024 05:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-25_4f0589a73ed6cab4fda8b97758d22a72_cryptolocker.exe
Size

64KB
MD5

4f0589a73ed6cab4fda8b97758d22a72
SHA1

ab17f28a965c9a455681cd6b30b0f694973950fb
SHA256

ea891f259b040a6efa59d4f3eb4b41ab4cb2ada65ce5c00bfc5f1a6dee71d956
SHA512

cbaa1624843fe11d5c368212e51a974061a1fc8fa907972a177be016d4f575bfd10a7c209a6e3255390daafee19a9c58840c800cc6bb39a3077df14746123736
SSDEEP

768:P8mnjO6LsoEEeegiZPvEhHSG+gbum/kLyMro2GtOOtEvwDpjKvWxHCbSVaFn0jK3:P8mnK6QFElP6n+gymddpMOtEvwDpjYMI

Score

7^/10

discovery upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	2024-09-25_4f0589a73ed6cab4fda8b97758d22a72_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
2208	asih.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4484-0-0x0000000000500000-0x000000000050F311-memory.dmp	upx
behavioral2/files/0x0009000000023428-13.dat	upx
behavioral2/memory/4484-17-0x0000000000500000-0x000000000050F311-memory.dmp	upx
behavioral2/memory/2208-26-0x0000000000500000-0x000000000050F311-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-25_4f0589a73ed6cab4fda8b97758d22a72_cryptolocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	asih.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4484 wrote to memory of 2208	4484	2024-09-25_4f0589a73ed6cab4fda8b97758d22a72_cryptolocker.exe	82
PID 4484 wrote to memory of 2208	4484	2024-09-25_4f0589a73ed6cab4fda8b97758d22a72_cryptolocker.exe	82
PID 4484 wrote to memory of 2208	4484	2024-09-25_4f0589a73ed6cab4fda8b97758d22a72_cryptolocker.exe	82

C:\Users\Admin\AppData\Local\Temp\2024-09-25_4f0589a73ed6cab4fda8b97758d22a72_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-25_4f0589a73ed6cab4fda8b97758d22a72_cryptolocker.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4484
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
64KB

MD5
133e7d1223e41e5cb78160b5b68da18b

SHA1
a6da490b57ec218706f163a4f7018115a33d4b23

SHA256
7ed3c91feddbed8941dc1357f00f308fd52abffefbfd4064fc3ad0b2b1185272

SHA512
56ee1381e82f1e6d0ef2841e6cd20d2cf048120c6ed8ce87adb4c0d2025f050dcfa6ef73aae6ce51c2ac917c291d3d57a54b82d360005286a2ebf5fdd1ca4e2f

Download Submit
memory/2208-19-0x00000000004F0000-0x00000000004F6000-memory.dmp

Filesize
24KB

Download
memory/2208-25-0x00000000004D0000-0x00000000004D6000-memory.dmp

Filesize
24KB

Download
memory/2208-26-0x0000000000500000-0x000000000050F311-memory.dmp

Filesize
60KB

Download
memory/4484-0-0x0000000000500000-0x000000000050F311-memory.dmp

Filesize
60KB

Download
memory/4484-1-0x00000000004E0000-0x00000000004E6000-memory.dmp

Filesize
24KB

Download
memory/4484-2-0x00000000004E0000-0x00000000004E6000-memory.dmp

Filesize
24KB

Download
memory/4484-3-0x0000000000590000-0x0000000000596000-memory.dmp

Filesize
24KB

Download
memory/4484-17-0x0000000000500000-0x000000000050F311-memory.dmp

Filesize
60KB

Download