0c39b66c97c8881db9e84d751696069945964dd736779e8831d9b6f3a156c737

Analysis

max time kernel
148s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06/10/2024, 00:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-10-06_40a2c93b7f1ce7362b6bfd63e77e34b4_cryptolocker.exe
Size

37KB
MD5

40a2c93b7f1ce7362b6bfd63e77e34b4
SHA1

8e03d365342d62c01c2634a115aae175e749c4d0
SHA256

0c39b66c97c8881db9e84d751696069945964dd736779e8831d9b6f3a156c737
SHA512

740f6ba2156e265a95dd8456bbf0f5c09f38805beecabcf725bab135dcc4fa27b357cb95d50667692833bf2eb2c6fb3ea11606266876c892df12ec09b32797dd
SSDEEP

768:qmOKYQDf5XdrDmjr5tOOtEvwDpjAajFEitQbDmoSQCVUBJUkQqE4:qmbhXDmjr5MOtEvwDpj5cDtKkQZ4

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2844	asih.exe

Loads dropped DLL 1 IoCs

pid	Process
2764	2024-10-06_40a2c93b7f1ce7362b6bfd63e77e34b4_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-06_40a2c93b7f1ce7362b6bfd63e77e34b4_cryptolocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	asih.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2764 wrote to memory of 2844	2764	2024-10-06_40a2c93b7f1ce7362b6bfd63e77e34b4_cryptolocker.exe	31
PID 2764 wrote to memory of 2844	2764	2024-10-06_40a2c93b7f1ce7362b6bfd63e77e34b4_cryptolocker.exe	31
PID 2764 wrote to memory of 2844	2764	2024-10-06_40a2c93b7f1ce7362b6bfd63e77e34b4_cryptolocker.exe	31
PID 2764 wrote to memory of 2844	2764	2024-10-06_40a2c93b7f1ce7362b6bfd63e77e34b4_cryptolocker.exe	31

C:\Users\Admin\AppData\Local\Temp\2024-10-06_40a2c93b7f1ce7362b6bfd63e77e34b4_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-06_40a2c93b7f1ce7362b6bfd63e77e34b4_cryptolocker.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2764
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
38KB

MD5
80547c31b29196105ab5d143674506b8

SHA1
f3a37eb0c9a7837002f589572f9347edbb342116

SHA256
2cf20b1dfa234f3951a208b5ee3588351de71c8f3e5c5eca5bc927a615ff2d6f

SHA512
a8d98d025a89c292196c4beee3ca8d8c9661ce18bd999b778e65a58afefaa5cd54f5015eae13b7542373b9198dc5fd93910d08dfca72cc7cd9284131536f09bd

Download Submit
memory/2764-0-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2764-2-0x00000000004A0000-0x00000000004A6000-memory.dmp

Filesize
24KB

Download
memory/2764-9-0x0000000000320000-0x0000000000326000-memory.dmp

Filesize
24KB

Download
memory/2764-1-0x0000000000320000-0x0000000000326000-memory.dmp

Filesize
24KB

Download
memory/2764-16-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2844-17-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2844-19-0x0000000000290000-0x0000000000296000-memory.dmp

Filesize
24KB

Download
memory/2844-26-0x00000000001D0000-0x00000000001D6000-memory.dmp

Filesize
24KB

Download
memory/2844-27-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download