afc78bacb999446ac13f660effc1c4b4cbee5a22b08ef146da46173ddb545759

Analysis

max time kernel
132s
max time network
139s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-09-2024 07:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-21_de83e60c1a22ed24f94ca673e8517051_cryptolocker.exe
Size

81KB
MD5

de83e60c1a22ed24f94ca673e8517051
SHA1

8690a80b01e9df384a205d336b23e96dd78d5a7e
SHA256

afc78bacb999446ac13f660effc1c4b4cbee5a22b08ef146da46173ddb545759
SHA512

5b956a644cab64dda89d1514e8180905083bbd909d59ecd9523c4426bfe19b2ef331b602606c2a749c28f070963cc8b1a8a7e320aaa3a6ad12d3d8915dcf6c46
SSDEEP

1536:P8mnK6QFElP6n+gymddpMOtEvwDpjIHsalDSnUCH:1nK6a+qdOOtEvwDpjl

Score

7^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2628	asih.exe

Loads dropped DLL 1 IoCs

pid	Process
584	2024-09-21_de83e60c1a22ed24f94ca673e8517051_cryptolocker.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/584-0-0x0000000000500000-0x000000000050F311-memory.dmp	upx
behavioral1/files/0x000c000000014b4f-11.dat	upx
behavioral1/memory/584-12-0x0000000001F60000-0x0000000001F70000-memory.dmp	upx
behavioral1/memory/584-16-0x0000000000500000-0x000000000050F311-memory.dmp	upx
behavioral1/memory/2628-17-0x0000000000500000-0x000000000050F311-memory.dmp	upx
behavioral1/memory/2628-27-0x0000000000500000-0x000000000050F311-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	asih.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-21_de83e60c1a22ed24f94ca673e8517051_cryptolocker.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 584 wrote to memory of 2628	584	2024-09-21_de83e60c1a22ed24f94ca673e8517051_cryptolocker.exe	31
PID 584 wrote to memory of 2628	584	2024-09-21_de83e60c1a22ed24f94ca673e8517051_cryptolocker.exe	31
PID 584 wrote to memory of 2628	584	2024-09-21_de83e60c1a22ed24f94ca673e8517051_cryptolocker.exe	31
PID 584 wrote to memory of 2628	584	2024-09-21_de83e60c1a22ed24f94ca673e8517051_cryptolocker.exe	31

C:\Users\Admin\AppData\Local\Temp\2024-09-21_de83e60c1a22ed24f94ca673e8517051_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-21_de83e60c1a22ed24f94ca673e8517051_cryptolocker.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:584
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
81KB

MD5
f818d20fdd5c35de20aaee2b3e431b11

SHA1
fd39329969c1bfbbbac4ddd67180f285abb447e0

SHA256
61248eedb84231336276256d775e7642303c5dff2cc2544a40798f72e0f81548

SHA512
5e186bd493984329153aa6a66d5ed775d5bcd1a6cadd1ae3a59a29f6ba06dc1ba22867751b5f404ae06e85cfe84214d256c9f93698514dbd04e4076178cb0182

Download Submit
memory/584-0-0x0000000000500000-0x000000000050F311-memory.dmp

Filesize
60KB

Download
memory/584-1-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/584-2-0x0000000000480000-0x0000000000486000-memory.dmp

Filesize
24KB

Download
memory/584-9-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/584-12-0x0000000001F60000-0x0000000001F70000-memory.dmp

Filesize
64KB

Download
memory/584-16-0x0000000000500000-0x000000000050F311-memory.dmp

Filesize
60KB

Download
memory/2628-17-0x0000000000500000-0x000000000050F311-memory.dmp

Filesize
60KB

Download
memory/2628-19-0x0000000000460000-0x0000000000466000-memory.dmp

Filesize
24KB

Download
memory/2628-26-0x00000000002C0000-0x00000000002C6000-memory.dmp

Filesize
24KB

Download
memory/2628-27-0x0000000000500000-0x000000000050F311-memory.dmp

Filesize
60KB

Download