98e22b91ae2f633a098efc6c419b638c917655d3c20013187ffd81b4ae2e7395

Analysis

max time kernel
132s
max time network
139s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 03:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-19_abd9b8f2c0594b47c5262e400a4e0bed_cryptolocker.exe
Size

43KB
MD5

abd9b8f2c0594b47c5262e400a4e0bed
SHA1

82b7ff8b12a63efcac685d804c7d0219c731ac57
SHA256

98e22b91ae2f633a098efc6c419b638c917655d3c20013187ffd81b4ae2e7395
SHA512

49c7f9a9eab2c039966e4f5e63fe9a83d365d013dc9f05e18739afd97056d776ba6842c953af004990b3e7f1833839819a02f774e9f7813b72bbaa14355ed318
SSDEEP

768:X6LsoEEeegiZPvEhHSG+gp/QtOOtEvwDpjBaac4HK/wSvuQTCyD/95Ov:X6QFElP6n+gJQMOtEvwDpjBsYK/fbDFc

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2520	asih.exe

Loads dropped DLL 1 IoCs

pid	Process
1712	2024-09-19_abd9b8f2c0594b47c5262e400a4e0bed_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	asih.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-19_abd9b8f2c0594b47c5262e400a4e0bed_cryptolocker.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 2520	1712	2024-09-19_abd9b8f2c0594b47c5262e400a4e0bed_cryptolocker.exe	30
PID 1712 wrote to memory of 2520	1712	2024-09-19_abd9b8f2c0594b47c5262e400a4e0bed_cryptolocker.exe	30
PID 1712 wrote to memory of 2520	1712	2024-09-19_abd9b8f2c0594b47c5262e400a4e0bed_cryptolocker.exe	30
PID 1712 wrote to memory of 2520	1712	2024-09-19_abd9b8f2c0594b47c5262e400a4e0bed_cryptolocker.exe	30

C:\Users\Admin\AppData\Local\Temp\2024-09-19_abd9b8f2c0594b47c5262e400a4e0bed_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-19_abd9b8f2c0594b47c5262e400a4e0bed_cryptolocker.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
43KB

MD5
59f8f57b9eef12896befbdf50a839d73

SHA1
2253713e63cc4f420cc65bf200c658e72e915efd

SHA256
06f16415d2d923983570f1298d9aecae0ce5c043df1cc5da0464744cb6aa4c19

SHA512
23f652f58e763636bb39893b6e8425e443f2b8e3900b583f44a3ce36e026a68e9374ddd3e8835da1a3b9e74da033205e791ce7e94ecdf7ed229afaa09e0f1e8b

Download Submit
memory/1712-1-0x0000000000530000-0x0000000000536000-memory.dmp

Filesize
24KB

Download
memory/1712-8-0x00000000002C0000-0x00000000002C6000-memory.dmp

Filesize
24KB

Download
memory/1712-0-0x00000000002C0000-0x00000000002C6000-memory.dmp

Filesize
24KB

Download
memory/2520-15-0x0000000000440000-0x0000000000446000-memory.dmp

Filesize
24KB

Download
memory/2520-22-0x00000000001D0000-0x00000000001D6000-memory.dmp

Filesize
24KB

Download