23ba2b5a2d2e31cb9f15345fe01e92ae067df2d555429cddefe9342e8e9bf264

Analysis

max time kernel
149s
max time network
151s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
19-09-2024 05:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-19_ada376ee837c92364d427072e1e4773f_cryptolocker.exe
Size

60KB
MD5

ada376ee837c92364d427072e1e4773f
SHA1

a8dc5f545cb55c002fb4104e3debfb1097baa8c3
SHA256

23ba2b5a2d2e31cb9f15345fe01e92ae067df2d555429cddefe9342e8e9bf264
SHA512

52b0d2f0e90ac71f5668c80b4b63de3ef02664064a0b61377baf2c8d5607431c930a9f9503c55a5872596cd364b78138cbd9567bef52f0f46ec2c3e2d47fe78b
SSDEEP

768:UEEmoQDj/xnMp+yptndwe/PWQtOOtEvwDpjIm8z2iaSIO/RvDQeduJHqqnN:ZzFbxmLPWQMOtEvwDpj386Sj/RsN

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1832	misid.exe

Loads dropped DLL 1 IoCs

pid	Process
3012	2024-09-19_ada376ee837c92364d427072e1e4773f_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-19_ada376ee837c92364d427072e1e4773f_cryptolocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	misid.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 1832	3012	2024-09-19_ada376ee837c92364d427072e1e4773f_cryptolocker.exe	30
PID 3012 wrote to memory of 1832	3012	2024-09-19_ada376ee837c92364d427072e1e4773f_cryptolocker.exe	30
PID 3012 wrote to memory of 1832	3012	2024-09-19_ada376ee837c92364d427072e1e4773f_cryptolocker.exe	30
PID 3012 wrote to memory of 1832	3012	2024-09-19_ada376ee837c92364d427072e1e4773f_cryptolocker.exe	30

C:\Users\Admin\AppData\Local\Temp\2024-09-19_ada376ee837c92364d427072e1e4773f_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-19_ada376ee837c92364d427072e1e4773f_cryptolocker.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Users\Admin\AppData\Local\Temp\misid.exe
  "C:\Users\Admin\AppData\Local\Temp\misid.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\misid.exe

Filesize
60KB

MD5
cf748560999dca88af93a6b5661d3baa

SHA1
03bfd2167297dd60ca8677d0cc9aea873b0bb02b

SHA256
6a4a9155007ca9c7a47db91a855175616e614bb01d5fbea8dee50fb62e113b67

SHA512
55bed130464d4c006c86e5c33f3550bc1250deb707fc09c98dea7be9625acae344e9d3f9baa609847d6dbd24958666435ce65122dc7e692a8a160a925e8b5fa3

Download Submit
memory/1832-15-0x0000000000230000-0x0000000000233000-memory.dmp

Filesize
12KB

Download
memory/1832-17-0x0000000000360000-0x0000000000366000-memory.dmp

Filesize
24KB

Download
memory/1832-24-0x0000000000320000-0x0000000000326000-memory.dmp

Filesize
24KB

Download
memory/1832-25-0x0000000000230000-0x0000000000233000-memory.dmp

Filesize
12KB

Download
memory/3012-9-0x00000000002C0000-0x00000000002C6000-memory.dmp

Filesize
24KB

Download
memory/3012-8-0x00000000002B0000-0x00000000002B6000-memory.dmp

Filesize
24KB

Download
memory/3012-1-0x0000000000300000-0x0000000000306000-memory.dmp

Filesize
24KB

Download
memory/3012-0-0x00000000002C0000-0x00000000002C6000-memory.dmp

Filesize
24KB

Download