Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
09/10/2024, 04:32
Static task
static1
Behavioral task
behavioral1
Sample
2024-10-09_4549fc7ac66eb0b4fdaab041cb03a1d2_cryptolocker.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
2024-10-09_4549fc7ac66eb0b4fdaab041cb03a1d2_cryptolocker.exe
Resource
win10v2004-20241007-en
General
-
Target
2024-10-09_4549fc7ac66eb0b4fdaab041cb03a1d2_cryptolocker.exe
-
Size
28KB
-
MD5
4549fc7ac66eb0b4fdaab041cb03a1d2
-
SHA1
6baf4d096a68a9b2008ee8634c8dc743ed5142b5
-
SHA256
66be5aa5d8143911a5c8cadd3b4326812a835b560ab58c9966c5fa86f7c4daf1
-
SHA512
3fe9726951d078660d3df78d452ba04825e869a9af276879f2f796b0f5b4065fa92b4ebf0e6f67adfe48ecbd9638927d4720a2d9c2657a06a5835f1ff302d98b
-
SSDEEP
768:q0ZziOWwULueOSdE8tOOtEvwDpjeWaJIO/xX:q0zizzOSxMOtEvwDpj/ar5
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2776 asih.exe -
Loads dropped DLL 1 IoCs
pid Process 376 2024-10-09_4549fc7ac66eb0b4fdaab041cb03a1d2_cryptolocker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-09_4549fc7ac66eb0b4fdaab041cb03a1d2_cryptolocker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language asih.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 376 wrote to memory of 2776 376 2024-10-09_4549fc7ac66eb0b4fdaab041cb03a1d2_cryptolocker.exe 30 PID 376 wrote to memory of 2776 376 2024-10-09_4549fc7ac66eb0b4fdaab041cb03a1d2_cryptolocker.exe 30 PID 376 wrote to memory of 2776 376 2024-10-09_4549fc7ac66eb0b4fdaab041cb03a1d2_cryptolocker.exe 30 PID 376 wrote to memory of 2776 376 2024-10-09_4549fc7ac66eb0b4fdaab041cb03a1d2_cryptolocker.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-09_4549fc7ac66eb0b4fdaab041cb03a1d2_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-09_4549fc7ac66eb0b4fdaab041cb03a1d2_cryptolocker.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:376 -
C:\Users\Admin\AppData\Local\Temp\asih.exe"C:\Users\Admin\AppData\Local\Temp\asih.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2776
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
28KB
MD5731f68ab524885d16a5f886dec91e3f6
SHA1fa7fa5233c6faec7cbb0d7023b3d5842855e20bb
SHA2561f7c45301f37feb4842b627e54faa84396c1ebe236adffc2d71ee7b8a71f8bad
SHA512d293b9062d2eb035721ca85cdeac5062ae2c84c2d9e9388c01454282455707b6db0eced39c5497615a17e46daaafb7bc0d6cd04aac5383a580c721e706c361d8