5d9a7a10d2db8472ce269cf0faee5afb065b40ab8f3e085cf54b6e8d32691dc0

Analysis

max time kernel
132s
max time network
139s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05/10/2024, 06:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-05_bb064d663fb436350398cf4d34e6c5aa_cryptolocker.exe
Size

47KB
MD5

bb064d663fb436350398cf4d34e6c5aa
SHA1

20e260c2c484eabbc864549d1cbdcda694d3e885
SHA256

5d9a7a10d2db8472ce269cf0faee5afb065b40ab8f3e085cf54b6e8d32691dc0
SHA512

21f88384cfc45e2c1b412dda6043c13c3586d25096691435b0a102a0754f3142e615bc3cf27d2db2d646752bc0fcc2db64f8203581118f5c373be11c062cba92
SSDEEP

768:V6LsoEEeegiZPvEhHSG+gDYQtOOtEvwDpj/MLaHaMMm2X3dXi:V6QFElP6n+gMQMOtEvwDpjyaHaXri

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2176	asih.exe

Loads dropped DLL 1 IoCs

pid	Process
2148	2024-10-05_bb064d663fb436350398cf4d34e6c5aa_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-05_bb064d663fb436350398cf4d34e6c5aa_cryptolocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	asih.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2148 wrote to memory of 2176	2148	2024-10-05_bb064d663fb436350398cf4d34e6c5aa_cryptolocker.exe	30
PID 2148 wrote to memory of 2176	2148	2024-10-05_bb064d663fb436350398cf4d34e6c5aa_cryptolocker.exe	30
PID 2148 wrote to memory of 2176	2148	2024-10-05_bb064d663fb436350398cf4d34e6c5aa_cryptolocker.exe	30
PID 2148 wrote to memory of 2176	2148	2024-10-05_bb064d663fb436350398cf4d34e6c5aa_cryptolocker.exe	30

C:\Users\Admin\AppData\Local\Temp\2024-10-05_bb064d663fb436350398cf4d34e6c5aa_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-05_bb064d663fb436350398cf4d34e6c5aa_cryptolocker.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2148
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
48KB

MD5
5b1a50273b38a225a1d8c8b9f91eace1

SHA1
40f1a7bb3d48c1f5e1894247d5048c16a8c0e1dc

SHA256
2ce01526d886befc951f3b10dd36830070618b5ccea75cc31aa7843b465e1a89

SHA512
f85f51c9ebe8127736599446acad8873a6038da39a328a68c25a6b314ea17e7d968164a7bac8d2763187b6935e4714ee14b6c4805a4adfaf3300975655debdea

Download Submit
memory/2148-0-0x00000000002B0000-0x00000000002B6000-memory.dmp

Filesize
24KB

Download
memory/2148-1-0x00000000002F0000-0x00000000002F6000-memory.dmp

Filesize
24KB

Download
memory/2148-8-0x00000000002B0000-0x00000000002B6000-memory.dmp

Filesize
24KB

Download
memory/2176-15-0x0000000000420000-0x0000000000426000-memory.dmp

Filesize
24KB

Download
memory/2176-16-0x0000000000460000-0x0000000000466000-memory.dmp

Filesize
24KB

Download