97931054a7b5f33806164726509c4c989fb1eb0710733008b41ba2153c4e64f5

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20/11/2024, 03:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-20_289292741b0612a5b2117133163f7ba3_cryptolocker.exe
Size

40KB
MD5

289292741b0612a5b2117133163f7ba3
SHA1

eb5fa8b7da0e019ba893a6f7cece0d116b0cbf10
SHA256

97931054a7b5f33806164726509c4c989fb1eb0710733008b41ba2153c4e64f5
SHA512

668ededce0d96db33ce23e70e656f3e72c15f16e460faba54dddde4193e19073436b4b8fe60ef97025083b7afca3de5278e934bf57ce30f34d1d4018d7751dd4
SSDEEP

768:q7PdFecFS5agQtOOtEvwDpjeMLZdzuqpXsiE8Wq/DpkITYabDNHX:qDdFJy3QMOtEvwDpjjWMl7TdV3

Score

7^/10

discovery upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	2024-11-20_289292741b0612a5b2117133163f7ba3_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
4120	asih.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3040-0-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/files/0x000c000000023b1d-13.dat	upx
behavioral2/memory/3040-18-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/4120-27-0x0000000000500000-0x0000000000510000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-20_289292741b0612a5b2117133163f7ba3_cryptolocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	asih.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 4120	3040	2024-11-20_289292741b0612a5b2117133163f7ba3_cryptolocker.exe	84
PID 3040 wrote to memory of 4120	3040	2024-11-20_289292741b0612a5b2117133163f7ba3_cryptolocker.exe	84
PID 3040 wrote to memory of 4120	3040	2024-11-20_289292741b0612a5b2117133163f7ba3_cryptolocker.exe	84

C:\Users\Admin\AppData\Local\Temp\2024-11-20_289292741b0612a5b2117133163f7ba3_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-20_289292741b0612a5b2117133163f7ba3_cryptolocker.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
41KB

MD5
ae97328ab40a24b3ed0cb06cd13e837b

SHA1
a6f20ff24361ce6a41dc9f86a5eef93577d6d4f4

SHA256
ab85bacac024a807905d682deffbb332d3ee7128d5f910fd68a3e254054634ec

SHA512
3ee85b2c85bcf2b283d774c1786114e5ffea12daab6652d3c4ae55db7b51a9cf36c84db420a44287b68f902f6a02525ea0746a2b59e3c5ed147825a941725de9

Download Submit
memory/3040-0-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/3040-1-0x0000000002190000-0x0000000002196000-memory.dmp

Filesize
24KB

Download
memory/3040-2-0x0000000002190000-0x0000000002196000-memory.dmp

Filesize
24KB

Download
memory/3040-3-0x00000000021B0000-0x00000000021B6000-memory.dmp

Filesize
24KB

Download
memory/3040-18-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/4120-20-0x0000000000490000-0x0000000000496000-memory.dmp

Filesize
24KB

Download
memory/4120-21-0x00000000004C0000-0x00000000004C6000-memory.dmp

Filesize
24KB

Download
memory/4120-27-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download