Analysis
-
max time kernel
105s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20250610-en -
resource tags
arch:x64arch:x86image:win10v2004-20250610-enlocale:en-usos:windows10-2004-x64system -
submitted
02/07/2025, 19:23
General
-
Target
2025-07-02_0c42e6f529d5afa9d216be1688f6c908_cryptolocker_elex.exe
-
Size
32KB
-
MD5
0c42e6f529d5afa9d216be1688f6c908
-
SHA1
c8c1961f46896379764c1691f2ee93e36b44855d
-
SHA256
3803777c6d13e30c381ff440d87a3dc2af6452f2d0451d3d86f5e3d857850875
-
SHA512
d13f929b4a7b8d158f7a0f9b93c788d673861ace632ceec01b4f2bf6422f898884e62a87776b704347f882d258ac17041c989ce2bfc7982e77e047c33803bb6e
-
SSDEEP
768:qUmnjFom/kLyMro2GtOOtEvwDpjeMLam5axH:qUmnpomddpMOtEvwDpjjaYaB
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3001560346-2020497773-4190896137-1000\Control Panel\International\Geo\Nation asih.exe Key value queried \REGISTRY\USER\S-1-5-21-3001560346-2020497773-4190896137-1000\Control Panel\International\Geo\Nation 2025-07-02_0c42e6f529d5afa9d216be1688f6c908_cryptolocker_elex.exe -
Executes dropped EXE 1 IoCs
pid Process 776 asih.exe -
resource yara_rule behavioral1/memory/5072-0-0x0000000000500000-0x000000000050F000-memory.dmp upx behavioral1/files/0x00040000000227b3-13.dat upx behavioral1/memory/5072-18-0x0000000000500000-0x000000000050F000-memory.dmp upx behavioral1/memory/776-49-0x0000000000500000-0x000000000050F000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-02_0c42e6f529d5afa9d216be1688f6c908_cryptolocker_elex.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language asih.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 5072 wrote to memory of 776 5072 2025-07-02_0c42e6f529d5afa9d216be1688f6c908_cryptolocker_elex.exe 87 PID 5072 wrote to memory of 776 5072 2025-07-02_0c42e6f529d5afa9d216be1688f6c908_cryptolocker_elex.exe 87 PID 5072 wrote to memory of 776 5072 2025-07-02_0c42e6f529d5afa9d216be1688f6c908_cryptolocker_elex.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-07-02_0c42e6f529d5afa9d216be1688f6c908_cryptolocker_elex.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-02_0c42e6f529d5afa9d216be1688f6c908_cryptolocker_elex.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Users\Admin\AppData\Local\Temp\asih.exe"C:\Users\Admin\AppData\Local\Temp\asih.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:776
-
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
32KB
MD5cc18f506aa2e95938e02b3c7a2f267ee
SHA1d609a0f40d45128d4d74310af603b61248c63c2b
SHA256c707aaae801c53d36f4e61f4866bcab37b8d50981607046ffd946c5f3e1f4ff3
SHA51241fce77377432da7a3cd9e1d39a23e99b4d4bfecd2be9602bc280385b850439ad835e4c1584f9a538eeafe4f10cd621d915986f6f73f5eee35d03df2d8ba51cf