Analysis
-
max time kernel
132s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
25/09/2024, 03:43
Behavioral task
behavioral1
Sample
2024-09-25_a92526487c59ce4fc6393ef704be0397_cryptolocker.exe
Resource
win7-20240729-en
General
-
Target
2024-09-25_a92526487c59ce4fc6393ef704be0397_cryptolocker.exe
-
Size
53KB
-
MD5
a92526487c59ce4fc6393ef704be0397
-
SHA1
48333dda5736ef9ab80b8e18c7467ae198acbfa2
-
SHA256
c7f164a5cddaae05998dfbd9bc26769c236db56717e985c509b469ed20b081a8
-
SHA512
c8c8becff337be7eb737cd94ae7ad7ac19b4ee5cf04f2b0361c161e3865fcdf2e11cc23e1e3982a1e6b6687fe146ccf1b757bbc4bb57f96f35e3cb57c58081f7
-
SSDEEP
768:z6LsoEEeegiZPvEhHSG+gzum/kLyMro2GtOOtEvwDpj/YY1J+OTOk/4v:z6QFElP6n+gKmddpMOtEvwDpj31ik/2
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2016 asih.exe -
Loads dropped DLL 1 IoCs
pid Process 1596 2024-09-25_a92526487c59ce4fc6393ef704be0397_cryptolocker.exe -
resource yara_rule behavioral1/memory/1596-0-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral1/files/0x000b0000000122cf-11.dat upx behavioral1/memory/1596-14-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral1/memory/2016-16-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral1/memory/2016-26-0x0000000000500000-0x0000000000510000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-09-25_a92526487c59ce4fc6393ef704be0397_cryptolocker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language asih.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1596 wrote to memory of 2016 1596 2024-09-25_a92526487c59ce4fc6393ef704be0397_cryptolocker.exe 31 PID 1596 wrote to memory of 2016 1596 2024-09-25_a92526487c59ce4fc6393ef704be0397_cryptolocker.exe 31 PID 1596 wrote to memory of 2016 1596 2024-09-25_a92526487c59ce4fc6393ef704be0397_cryptolocker.exe 31 PID 1596 wrote to memory of 2016 1596 2024-09-25_a92526487c59ce4fc6393ef704be0397_cryptolocker.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-09-25_a92526487c59ce4fc6393ef704be0397_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-09-25_a92526487c59ce4fc6393ef704be0397_cryptolocker.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Users\Admin\AppData\Local\Temp\asih.exe"C:\Users\Admin\AppData\Local\Temp\asih.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2016
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
54KB
MD518c742d64c6a4123d8fb7a3356f14ce0
SHA1a940b5ebddf9cb38aa3d5cb1fca4f2c6bb0f9751
SHA256c2ccd0b7f83380fc76885c44da9024c08ab74de72414ab81d6f74e123e5f7520
SHA5128e18c613b75d87d3ba0712957f42ffa200d371f00efe0f7d5dda61e0795861e96830a81cebe4977af1ca0ba8662d1c8a19b9ecdb3bfad7acb2f8db7b2a0c8f70