58bd13b46cce75ac354e2fe3cfe651f1fe0ea076a5668a831a46bc8b8884f5ee

Analysis

max time kernel
150s
max time network
156s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
26/08/2024, 06:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-26_9d22f89d0de0bae0542e2de59927d062_cryptolocker.exe
Size

72KB
MD5

9d22f89d0de0bae0542e2de59927d062
SHA1

a165795c45ae76bcee229c51d06e272c8d13c02e
SHA256

58bd13b46cce75ac354e2fe3cfe651f1fe0ea076a5668a831a46bc8b8884f5ee
SHA512

1632fd8cbfbc5367c9bc7c23929fa0a8dbceb9b73b2997b6f3a9d2b1d0fb9ae13375c3db4a41d00fc55475b48bd8ab059a42d091e58c69578312534712a4793c
SSDEEP

1536:nj+4zs2cPVhlMOtEvwDpj4H8u8rZVTs9U:C4Q2c94OtEvwDpj4H8zt

Score

7^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2484	misid.exe

Loads dropped DLL 1 IoCs

pid	Process
1052	2024-08-26_9d22f89d0de0bae0542e2de59927d062_cryptolocker.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1052-0-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/1052-15-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/files/0x0004000000017801-11.dat	upx
behavioral1/memory/2484-17-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/2484-27-0x0000000000500000-0x0000000000510000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-26_9d22f89d0de0bae0542e2de59927d062_cryptolocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	misid.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1052 wrote to memory of 2484	1052	2024-08-26_9d22f89d0de0bae0542e2de59927d062_cryptolocker.exe	29
PID 1052 wrote to memory of 2484	1052	2024-08-26_9d22f89d0de0bae0542e2de59927d062_cryptolocker.exe	29
PID 1052 wrote to memory of 2484	1052	2024-08-26_9d22f89d0de0bae0542e2de59927d062_cryptolocker.exe	29
PID 1052 wrote to memory of 2484	1052	2024-08-26_9d22f89d0de0bae0542e2de59927d062_cryptolocker.exe	29

C:\Users\Admin\AppData\Local\Temp\2024-08-26_9d22f89d0de0bae0542e2de59927d062_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-26_9d22f89d0de0bae0542e2de59927d062_cryptolocker.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1052
- C:\Users\Admin\AppData\Local\Temp\misid.exe
  "C:\Users\Admin\AppData\Local\Temp\misid.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\misid.exe

Filesize
72KB

MD5
f0f4312bcd54ac6770f69d479fa936c8

SHA1
7987d3a177c4811840f40962d509bdca52dd1261

SHA256
a69d7c8084ea6378213856e8506073e626c7a70c8e5312a42b313a16da32d3bc

SHA512
4f4811bdc77f054a284ee20a40e42777d3bbb63d7c73c25e280a811c7dfff8f271fc65af9ac6a5e95f73c7467568cab9667b33deb6e9d4ba53e182dfc5eb11cb

Download Submit
memory/1052-0-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/1052-2-0x00000000002C0000-0x00000000002C6000-memory.dmp

Filesize
24KB

Download
memory/1052-1-0x0000000000290000-0x0000000000296000-memory.dmp

Filesize
24KB

Download
memory/1052-9-0x0000000000290000-0x0000000000296000-memory.dmp

Filesize
24KB

Download
memory/1052-15-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2484-17-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2484-26-0x00000000001D0000-0x00000000001D6000-memory.dmp

Filesize
24KB

Download
memory/2484-19-0x0000000000280000-0x0000000000286000-memory.dmp

Filesize
24KB

Download
memory/2484-27-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download