b488fcb7461c5ad8e44abeee5f39d672e7cc20eac1973b93822a08adc4b9811a

Analysis

max time kernel
133s
max time network
140s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
08/08/2024, 16:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-08-08_3de655aa6a2033df702f93efd47243b5_cryptolocker.exe
Size

46KB
MD5

3de655aa6a2033df702f93efd47243b5
SHA1

f9beaad5acabb03ba2c16807bbf7d0072680aa74
SHA256

b488fcb7461c5ad8e44abeee5f39d672e7cc20eac1973b93822a08adc4b9811a
SHA512

d04e71fc3ae7b1e7146a5a83b5d56a540510adbcb169b82d7f9dd64b2814e0691aa6638f30b73dd77624df14197e8e92b3f11a61ddbc7af01d1c817ad5b18a42
SSDEEP

768:V6LsoEEeegiZPvEhHSG+gDYQtOOtEvwDpj/MLaHaMMm2X3dXW:V6QFElP6n+gMQMOtEvwDpjyaHaXrW

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2176	asih.exe

Loads dropped DLL 1 IoCs

pid	Process
2104	2024-08-08_3de655aa6a2033df702f93efd47243b5_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-08_3de655aa6a2033df702f93efd47243b5_cryptolocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	asih.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 2176	2104	2024-08-08_3de655aa6a2033df702f93efd47243b5_cryptolocker.exe	31
PID 2104 wrote to memory of 2176	2104	2024-08-08_3de655aa6a2033df702f93efd47243b5_cryptolocker.exe	31
PID 2104 wrote to memory of 2176	2104	2024-08-08_3de655aa6a2033df702f93efd47243b5_cryptolocker.exe	31
PID 2104 wrote to memory of 2176	2104	2024-08-08_3de655aa6a2033df702f93efd47243b5_cryptolocker.exe	31

C:\Users\Admin\AppData\Local\Temp\2024-08-08_3de655aa6a2033df702f93efd47243b5_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-08_3de655aa6a2033df702f93efd47243b5_cryptolocker.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
47KB

MD5
6a334e0a7f259f5e6ed9e6397881ae4d

SHA1
e72b3317a9d6275c9549800bfcda9eeb921529ce

SHA256
263e3f701ecb9897d1ed6ab2cd01d4d03984cb450748f22285d08d9a1c208590

SHA512
5c7b881afbd18648d985cbc4a343ee3a07d86d2d7dca29b5f4d26aa48d9c26370171320856254fe364bf233803c38060dc3c764c55040594632d1c774b59df47

Download Submit
memory/2104-0-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/2104-1-0x0000000000310000-0x0000000000316000-memory.dmp

Filesize
24KB

Download
memory/2104-8-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/2176-15-0x0000000000370000-0x0000000000376000-memory.dmp

Filesize
24KB

Download
memory/2176-22-0x00000000002B0000-0x00000000002B6000-memory.dmp

Filesize
24KB

Download