b5edc1c6050cd0522dfada97fd242ace59685a7f398e84ec0162eab21fa46072

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09-10-2024 09:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-09_f70e8173bb8e6ce82b9594b1c985137b_cryptolocker.exe
Size

68KB
MD5

f70e8173bb8e6ce82b9594b1c985137b
SHA1

3c6aa6659df5ce6413cc57dd6b2d6f3b22cd6453
SHA256

b5edc1c6050cd0522dfada97fd242ace59685a7f398e84ec0162eab21fa46072
SHA512

f96fb6a802c16ba2f979d0c8ce7d27c6c906420e39ef51b70de33fe413822865412340c4961ee62ff3d374a476a52e955b835d103bf3a5a75b6d235346e820c3
SSDEEP

768:6Qz7yVEhs9+4OR7tOOtEvwDpjLHqPOYRmNxt5I52kGEpE0P/xFIP:6j+1NMOtEvwDpjr8ox8UDEpN/je

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1480	misid.exe

Loads dropped DLL 1 IoCs

pid	Process
1928	2024-10-09_f70e8173bb8e6ce82b9594b1c985137b_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-09_f70e8173bb8e6ce82b9594b1c985137b_cryptolocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	misid.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 1480	1928	2024-10-09_f70e8173bb8e6ce82b9594b1c985137b_cryptolocker.exe	30
PID 1928 wrote to memory of 1480	1928	2024-10-09_f70e8173bb8e6ce82b9594b1c985137b_cryptolocker.exe	30
PID 1928 wrote to memory of 1480	1928	2024-10-09_f70e8173bb8e6ce82b9594b1c985137b_cryptolocker.exe	30
PID 1928 wrote to memory of 1480	1928	2024-10-09_f70e8173bb8e6ce82b9594b1c985137b_cryptolocker.exe	30

C:\Users\Admin\AppData\Local\Temp\2024-10-09_f70e8173bb8e6ce82b9594b1c985137b_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-09_f70e8173bb8e6ce82b9594b1c985137b_cryptolocker.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Users\Admin\AppData\Local\Temp\misid.exe
  "C:\Users\Admin\AppData\Local\Temp\misid.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\misid.exe

Filesize
68KB

MD5
138fede5367c55933e242d417534118e

SHA1
a69615f6fe7476363762a3ab78197efebbc4ef23

SHA256
0a5f2c99b2f0ffa56f5a8231f1c5cfc4e6eb69a30cf748e84a45759eed8f7995

SHA512
adab5d9f04f3e8939c9ccfc82b9ae6de918a290c7409f02de2a69409857d1f41bc4fa8fcb5a8fcddca0422ce3d3bd7031bc2bb635feff65ef69772afbd4bcefc

Download Submit
memory/1480-15-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/1480-17-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/1480-18-0x0000000000300000-0x0000000000306000-memory.dmp

Filesize
24KB

Download
memory/1480-25-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/1928-1-0x0000000000340000-0x0000000000346000-memory.dmp

Filesize
24KB

Download
memory/1928-0-0x00000000002C0000-0x00000000002C6000-memory.dmp

Filesize
24KB

Download
memory/1928-9-0x00000000002C0000-0x00000000002C6000-memory.dmp

Filesize
24KB

Download
memory/1928-8-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download