80d8c92149b8701c58f1e9bc80febd64ad6717ab6b61aad8ee5cc34d8ea618dd

Analysis

max time kernel
149s
max time network
151s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11/09/2024, 04:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-11_02b2a206b6d3f9c7e3c9d05a1f3e69af_cryptolocker.exe
Size

39KB
MD5

02b2a206b6d3f9c7e3c9d05a1f3e69af
SHA1

d59de7ae972201eb2d00223a3cafe80486d73f79
SHA256

80d8c92149b8701c58f1e9bc80febd64ad6717ab6b61aad8ee5cc34d8ea618dd
SHA512

40c802a38a4f6b6f35a19a8e9c60b68ba2dfcbd4632ed91e2383587533f0b133cab461518a18c5436239d67eb61c46e231f8e3d067a4be946a848d329e77ae86
SSDEEP

768:UEEmoQDj/xnMp+yptndwe/PWQtOOtEvwDpjLeJAsKuD5:ZzFbxmLPWQMOtEvwDpjLeJAsKc5

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2872	misid.exe

Loads dropped DLL 1 IoCs

pid	Process
2136	2024-09-11_02b2a206b6d3f9c7e3c9d05a1f3e69af_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-11_02b2a206b6d3f9c7e3c9d05a1f3e69af_cryptolocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	misid.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 2872	2136	2024-09-11_02b2a206b6d3f9c7e3c9d05a1f3e69af_cryptolocker.exe	30
PID 2136 wrote to memory of 2872	2136	2024-09-11_02b2a206b6d3f9c7e3c9d05a1f3e69af_cryptolocker.exe	30
PID 2136 wrote to memory of 2872	2136	2024-09-11_02b2a206b6d3f9c7e3c9d05a1f3e69af_cryptolocker.exe	30
PID 2136 wrote to memory of 2872	2136	2024-09-11_02b2a206b6d3f9c7e3c9d05a1f3e69af_cryptolocker.exe	30

C:\Users\Admin\AppData\Local\Temp\2024-09-11_02b2a206b6d3f9c7e3c9d05a1f3e69af_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-11_02b2a206b6d3f9c7e3c9d05a1f3e69af_cryptolocker.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Users\Admin\AppData\Local\Temp\misid.exe
  "C:\Users\Admin\AppData\Local\Temp\misid.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\misid.exe

Filesize
40KB

MD5
62b928084ece95d9c77606d9093129f6

SHA1
9aaba531a59b904950ffd57612a763f133ee2f04

SHA256
79b6b5fb8f9ebdadd0a5968f7ec46b9cc56c674aad6d2ef9ebf2efcaeb5e8b10

SHA512
217878a559ac91679e6e864e0f263d8cd831cfaf70e40729b7c2a01279b05ec41bb6b6c1601269460a7d037d3a74dfc0eb40613f9421da692a56a684c5283eb1

Download Submit
memory/2136-0-0x0000000000230000-0x0000000000233000-memory.dmp

Filesize
12KB

Download
memory/2136-2-0x00000000004A0000-0x00000000004A6000-memory.dmp

Filesize
24KB

Download
memory/2136-9-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/2136-1-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/2872-15-0x0000000000230000-0x0000000000233000-memory.dmp

Filesize
12KB

Download
memory/2872-17-0x00000000002D0000-0x00000000002D6000-memory.dmp

Filesize
24KB

Download
memory/2872-24-0x0000000000230000-0x0000000000233000-memory.dmp

Filesize
12KB

Download