Analysis
-
max time kernel
141s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
25/08/2024, 09:51
Behavioral task
behavioral1
Sample
2024-08-25_554730e8b97fdee57ebc24edf8c63473_cryptolocker.exe
Resource
win7-20240705-en
General
-
Target
2024-08-25_554730e8b97fdee57ebc24edf8c63473_cryptolocker.exe
-
Size
39KB
-
MD5
554730e8b97fdee57ebc24edf8c63473
-
SHA1
7f63af31a52ec634d4368a74e213d5d60db10dd7
-
SHA256
e5857e7c38b52e5c549067e332f3749f6a998148e3f602f43603f17c26d184a7
-
SHA512
f6b1971f8ccf6d61485ee646a60ec3a3a5326c2df732d46a141cec79662e8755edf3d684effc03b8e7b0daa17e6b60032fd662cc41c75c71a488161eda73efa0
-
SSDEEP
768:q7PdFecFS5agQtOOtEvwDpjeMLZdzuqpXsiE8Wq/DpkITH:qDdFJy3QMOtEvwDpjjWMl7TH
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2544 asih.exe -
Loads dropped DLL 1 IoCs
pid Process 3024 2024-08-25_554730e8b97fdee57ebc24edf8c63473_cryptolocker.exe -
resource yara_rule behavioral1/memory/3024-0-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral1/files/0x0009000000012029-16.dat upx behavioral1/memory/3024-15-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral1/memory/2544-17-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral1/memory/2544-27-0x0000000000500000-0x0000000000510000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-08-25_554730e8b97fdee57ebc24edf8c63473_cryptolocker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language asih.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3024 wrote to memory of 2544 3024 2024-08-25_554730e8b97fdee57ebc24edf8c63473_cryptolocker.exe 30 PID 3024 wrote to memory of 2544 3024 2024-08-25_554730e8b97fdee57ebc24edf8c63473_cryptolocker.exe 30 PID 3024 wrote to memory of 2544 3024 2024-08-25_554730e8b97fdee57ebc24edf8c63473_cryptolocker.exe 30 PID 3024 wrote to memory of 2544 3024 2024-08-25_554730e8b97fdee57ebc24edf8c63473_cryptolocker.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-08-25_554730e8b97fdee57ebc24edf8c63473_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-08-25_554730e8b97fdee57ebc24edf8c63473_cryptolocker.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Users\Admin\AppData\Local\Temp\asih.exe"C:\Users\Admin\AppData\Local\Temp\asih.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2544
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
39KB
MD55d97e3f287c7a88668d70364d76e77b8
SHA1f64d75a298c81f60cb475e94f504134ef41c8089
SHA256ba84235b5b45cce5cf1452fde1719180002c9a77ebeb2b644f0334d4f855e3e6
SHA512a9640c45075d98e70ac56a0eb65f893d2184b4583bf8c6e1889c7b793145cab6e826515482030e2229aa6f09c6c455a1867903a22be5d2d8ce15589274a2e84e