bfb68d6a60723fc2c0ed7ab0ec7b07770719400264f21b4abae43617484ebd7b

Analysis

max time kernel
132s
max time network
140s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
21-09-2024 15:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-21_3499b33329c025c100821dc992d6cf1c_cryptolocker.exe
Size

30KB
MD5

3499b33329c025c100821dc992d6cf1c
SHA1

3ba0ea6b6a10aea2f560b4e4e69010079b125165
SHA256

bfb68d6a60723fc2c0ed7ab0ec7b07770719400264f21b4abae43617484ebd7b
SHA512

e3ec9d12a582f3ad14c2bcb35a760e3efac1e651cae0c1b8d54c225b6ea8d60b674b3a88f18e16db56c846ac90396f355e9a43534c426a9c4a13482d4479156a
SSDEEP

768:X6LsoEEeegiZPvEhHSG+gp/QtOOtEvwDpjB9a8:X6QFElP6n+gJQMOtEvwDpjBM8

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1488	asih.exe

Loads dropped DLL 1 IoCs

pid	Process
1852	2024-09-21_3499b33329c025c100821dc992d6cf1c_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-21_3499b33329c025c100821dc992d6cf1c_cryptolocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	asih.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1852 wrote to memory of 1488	1852	2024-09-21_3499b33329c025c100821dc992d6cf1c_cryptolocker.exe	28
PID 1852 wrote to memory of 1488	1852	2024-09-21_3499b33329c025c100821dc992d6cf1c_cryptolocker.exe	28
PID 1852 wrote to memory of 1488	1852	2024-09-21_3499b33329c025c100821dc992d6cf1c_cryptolocker.exe	28
PID 1852 wrote to memory of 1488	1852	2024-09-21_3499b33329c025c100821dc992d6cf1c_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-09-21_3499b33329c025c100821dc992d6cf1c_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-21_3499b33329c025c100821dc992d6cf1c_cryptolocker.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1852
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
30KB

MD5
aa98072493832f0bee101d827b7a0e88

SHA1
06bc42df42b1cd924ec5c1cf1681273721656b71

SHA256
963bf02ff75203d4adc4653dcbf73e971983b9fd97863e3e2d9a134db18d3229

SHA512
27711fb98c32b21f7b9f08166e837f2e58d7ae45687d383db569bfc2539684979be76940f718584b89b73595761a0e75e57bdf968023816a7e854eef606ce777

Download Submit
memory/1488-15-0x0000000000280000-0x0000000000286000-memory.dmp

Filesize
24KB

Download
memory/1852-0-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/1852-1-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/1852-2-0x0000000000350000-0x0000000000356000-memory.dmp

Filesize
24KB

Download