727e10557f9935d9ebd720befc7b3ce2ae0a8fc1a093639062d2120edf063831

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
09/08/2024, 18:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-09_5b513a3dee8fc2379ba495df3d6e4c0e_cryptolocker.exe
Size

391KB
MD5

5b513a3dee8fc2379ba495df3d6e4c0e
SHA1

76b40b48c4ffeecbe0a80e211eb0f2b521c5496b
SHA256

727e10557f9935d9ebd720befc7b3ce2ae0a8fc1a093639062d2120edf063831
SHA512

d4d726b122a3d589e32f8230a6bfe1b1b4b345be324cf9f60f1e503bc0a82cd51e15136db0a2dc413bf919338d44dbde876029b9cdf2f94e824a16fd1fa5f55b
SSDEEP

6144:nnOsaQgAOjvrZFODJjBz3j1jTqQy6v2GGnugOtihzX0:nnOflT/ZFIjBz3xjTxynGUOUhX0

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
576	hasfj.exe

Loads dropped DLL 1 IoCs

pid	Process
2092	2024-08-09_5b513a3dee8fc2379ba495df3d6e4c0e_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-09_5b513a3dee8fc2379ba495df3d6e4c0e_cryptolocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hasfj.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 576	2092	2024-08-09_5b513a3dee8fc2379ba495df3d6e4c0e_cryptolocker.exe	30
PID 2092 wrote to memory of 576	2092	2024-08-09_5b513a3dee8fc2379ba495df3d6e4c0e_cryptolocker.exe	30
PID 2092 wrote to memory of 576	2092	2024-08-09_5b513a3dee8fc2379ba495df3d6e4c0e_cryptolocker.exe	30
PID 2092 wrote to memory of 576	2092	2024-08-09_5b513a3dee8fc2379ba495df3d6e4c0e_cryptolocker.exe	30

C:\Users\Admin\AppData\Local\Temp\2024-08-09_5b513a3dee8fc2379ba495df3d6e4c0e_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-09_5b513a3dee8fc2379ba495df3d6e4c0e_cryptolocker.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Users\Admin\AppData\Local\Temp\hasfj.exe
  "C:\Users\Admin\AppData\Local\Temp\hasfj.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\hasfj.exe

Filesize
391KB

MD5
91d3983369ce822caa2586fd94a9077e

SHA1
e26cc6375cab3c067e79e08aeb32002df9a81e3a

SHA256
066e2df206975d4b89849299ed7b053bbd9bc08f153dfb8d9516f9dce92cceba

SHA512
bbd65d576fbaa4662a6b86bca8b208d1372a27203041d573cedc0505577c1022f93da8a5e0bc05c6040226b6f5362745e9f53e23e2ec97ea733264bc77bbe505

Download Submit
memory/576-16-0x0000000000570000-0x0000000000576000-memory.dmp

Filesize
24KB

Download
memory/576-15-0x0000000000560000-0x0000000000566000-memory.dmp

Filesize
24KB

Download
memory/2092-1-0x00000000004D0000-0x00000000004D6000-memory.dmp

Filesize
24KB

Download
memory/2092-8-0x00000000004C0000-0x00000000004C6000-memory.dmp

Filesize
24KB

Download
memory/2092-0-0x00000000004C0000-0x00000000004C6000-memory.dmp

Filesize
24KB

Download