bc137cd60bbe2f5da2816a93ad1b5b654117abe14dc8ab1b0207893a7b286f59

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28-09-2024 20:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-28_6de5800826e55c4a807716e4d2c80ec3_cryptolocker.exe
Size

32KB
MD5

6de5800826e55c4a807716e4d2c80ec3
SHA1

1a5cdf4aeb22bf28a63c10166ecfa3b757deee03
SHA256

bc137cd60bbe2f5da2816a93ad1b5b654117abe14dc8ab1b0207893a7b286f59
SHA512

cf566703d6e54fb555f55a7bff81ad0c77ed79fb1b8af1245055d0f97865f2b3cf92c89b982e03b1b28fe1e1a18cc3a82a214948e4d173e2afabfb977778c403
SSDEEP

768:qUmnjFom/kLyMro2GtOOtEvwDpjeMLam5axjm:qUmnpomddpMOtEvwDpjjaYaA

Score

7^/10

discovery upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	2024-09-28_6de5800826e55c4a807716e4d2c80ec3_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
4600	asih.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1320-0-0x0000000000500000-0x000000000050F000-memory.dmp	upx
behavioral2/files/0x000800000002346c-13.dat	upx
behavioral2/memory/1320-18-0x0000000000500000-0x000000000050F000-memory.dmp	upx
behavioral2/memory/4600-26-0x0000000000500000-0x000000000050F000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-28_6de5800826e55c4a807716e4d2c80ec3_cryptolocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	asih.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1320 wrote to memory of 4600	1320	2024-09-28_6de5800826e55c4a807716e4d2c80ec3_cryptolocker.exe	84
PID 1320 wrote to memory of 4600	1320	2024-09-28_6de5800826e55c4a807716e4d2c80ec3_cryptolocker.exe	84
PID 1320 wrote to memory of 4600	1320	2024-09-28_6de5800826e55c4a807716e4d2c80ec3_cryptolocker.exe	84

C:\Users\Admin\AppData\Local\Temp\2024-09-28_6de5800826e55c4a807716e4d2c80ec3_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-28_6de5800826e55c4a807716e4d2c80ec3_cryptolocker.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1320
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
32KB

MD5
ddee684fe1320c838fa6f4ad6e9880c9

SHA1
978e187efdb21cc0301c59fdd19538cc13d208d5

SHA256
ae1340913bc985214d060ff9df6640e5eb5f91d0201f433c50285bd704c54ecb

SHA512
2fac9758fef9540315c68379ac28925f7c5a9289d0a4906fa723cbccb91e6fcb7c841ad150668a097968ffdd4482af03b56187db31cd3eb66d036380c29623d0

Download Submit
memory/1320-0-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/1320-1-0x00000000004D0000-0x00000000004D6000-memory.dmp

Filesize
24KB

Download
memory/1320-2-0x00000000004D0000-0x00000000004D6000-memory.dmp

Filesize
24KB

Download
memory/1320-3-0x00000000004F0000-0x00000000004F6000-memory.dmp

Filesize
24KB

Download
memory/1320-18-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/4600-26-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download