dc556896f938877c12de05aa2a33d65e177fbc1ec6ad84588e998395aefd8d44

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-10-2024 05:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-10_4363848dc58a1ea985e09f19e84c7639_cryptolocker.exe
Size

55KB
MD5

4363848dc58a1ea985e09f19e84c7639
SHA1

c07190a743bcd0ecd6791a8dd627f1da5a36417d
SHA256

dc556896f938877c12de05aa2a33d65e177fbc1ec6ad84588e998395aefd8d44
SHA512

84c1104f2b0d5b178d46f740488f807e694b2929531ee35ad7f35509d287ab385121fb16937df26c0e7d44646da0a893168f81e44a0eb5cc2213584d790c0202
SSDEEP

768:z6LsoEEeegiZPvEhHSG+gzum/kLyMro2GtOOtEvwDpj/YY1J+OTOkahA:z6QFElP6n+gKmddpMOtEvwDpj31ikJ

Score

7^/10

discovery upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	2024-10-10_4363848dc58a1ea985e09f19e84c7639_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
4124	asih.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3200-0-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/files/0x0009000000023c60-13.dat	upx
behavioral2/memory/3200-17-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/4124-26-0x0000000000500000-0x0000000000510000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-10_4363848dc58a1ea985e09f19e84c7639_cryptolocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	asih.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3200 wrote to memory of 4124	3200	2024-10-10_4363848dc58a1ea985e09f19e84c7639_cryptolocker.exe	86
PID 3200 wrote to memory of 4124	3200	2024-10-10_4363848dc58a1ea985e09f19e84c7639_cryptolocker.exe	86
PID 3200 wrote to memory of 4124	3200	2024-10-10_4363848dc58a1ea985e09f19e84c7639_cryptolocker.exe	86

C:\Users\Admin\AppData\Local\Temp\2024-10-10_4363848dc58a1ea985e09f19e84c7639_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-10_4363848dc58a1ea985e09f19e84c7639_cryptolocker.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3200
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
55KB

MD5
1ab08e17a7ab03f21d09f8f41599cebf

SHA1
7c2abb142b71888108369fc53cb83a43005729ca

SHA256
e945a20a36b5634ff418c3fa8544e17d31e8012f688e071479351eaa05817c3d

SHA512
960ab878ba08627c857b2608d562d103e7fa946709cbb0212b44b70f18f60f59cb793300ebb0bc4c5c1c9e575ce17c821a7f37a77194f1956ed748f018adbd35

Download Submit
memory/3200-0-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/3200-1-0x0000000000730000-0x0000000000736000-memory.dmp

Filesize
24KB

Download
memory/3200-2-0x0000000000730000-0x0000000000736000-memory.dmp

Filesize
24KB

Download
memory/3200-3-0x0000000000750000-0x0000000000756000-memory.dmp

Filesize
24KB

Download
memory/3200-17-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/4124-19-0x00000000006C0000-0x00000000006C6000-memory.dmp

Filesize
24KB

Download
memory/4124-25-0x0000000000520000-0x0000000000526000-memory.dmp

Filesize
24KB

Download
memory/4124-26-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download