Analysis

  • max time kernel
    105s
  • max time network
    134s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250610-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250610-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/07/2025, 19:23

General

  • Target

    2025-07-02_0c42e6f529d5afa9d216be1688f6c908_cryptolocker_elex.exe

  • Size

    32KB

  • MD5

    0c42e6f529d5afa9d216be1688f6c908

  • SHA1

    c8c1961f46896379764c1691f2ee93e36b44855d

  • SHA256

    3803777c6d13e30c381ff440d87a3dc2af6452f2d0451d3d86f5e3d857850875

  • SHA512

    d13f929b4a7b8d158f7a0f9b93c788d673861ace632ceec01b4f2bf6422f898884e62a87776b704347f882d258ac17041c989ce2bfc7982e77e047c33803bb6e

  • SSDEEP

    768:qUmnjFom/kLyMro2GtOOtEvwDpjeMLam5axH:qUmnpomddpMOtEvwDpjjaYaB

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-07-02_0c42e6f529d5afa9d216be1688f6c908_cryptolocker_elex.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-07-02_0c42e6f529d5afa9d216be1688f6c908_cryptolocker_elex.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:5072
    • C:\Users\Admin\AppData\Local\Temp\asih.exe
      "C:\Users\Admin\AppData\Local\Temp\asih.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:776

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\asih.exe

          Filesize

          32KB

          MD5

          cc18f506aa2e95938e02b3c7a2f267ee

          SHA1

          d609a0f40d45128d4d74310af603b61248c63c2b

          SHA256

          c707aaae801c53d36f4e61f4866bcab37b8d50981607046ffd946c5f3e1f4ff3

          SHA512

          41fce77377432da7a3cd9e1d39a23e99b4d4bfecd2be9602bc280385b850439ad835e4c1584f9a538eeafe4f10cd621d915986f6f73f5eee35d03df2d8ba51cf

        • memory/776-49-0x0000000000500000-0x000000000050F000-memory.dmp

          Filesize

          60KB

        • memory/5072-0-0x0000000000500000-0x000000000050F000-memory.dmp

          Filesize

          60KB

        • memory/5072-1-0x00000000004C0000-0x00000000004C6000-memory.dmp

          Filesize

          24KB

        • memory/5072-2-0x00000000004C0000-0x00000000004C6000-memory.dmp

          Filesize

          24KB

        • memory/5072-3-0x00000000004E0000-0x00000000004E6000-memory.dmp

          Filesize

          24KB

        • memory/5072-18-0x0000000000500000-0x000000000050F000-memory.dmp

          Filesize

          60KB