1d99a2de744cbc0b9c28bf95efbe2c4c63e8b54a39a6800776533bdc71dca2ce

Analysis

max time kernel
141s
max time network
140s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10-10-2024 00:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-09_fe6dddb7d571f1ffc96f9a338dac0fb1_cryptolocker.exe
Size

39KB
MD5

fe6dddb7d571f1ffc96f9a338dac0fb1
SHA1

e885bc7fd90c9f4b073b1d0d87e25a03b9c37de2
SHA256

1d99a2de744cbc0b9c28bf95efbe2c4c63e8b54a39a6800776533bdc71dca2ce
SHA512

2cb13dcd7efd346f55e725fea26dfb41ef7aaba655f099d82deb49396dfa39ca3bebf09ad60f614b9d1b87a835a25e8383958084dddce922050dc4e05363666c
SSDEEP

768:q7PdFecFS5agQtOOtEvwDpjeMLZdzuqpXsiE8Wq/DpkITYaId0:qDdFJy3QMOtEvwDpjjWMl7TdA0

Score

7^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2472	asih.exe

Loads dropped DLL 1 IoCs

pid	Process
1012	2024-10-09_fe6dddb7d571f1ffc96f9a338dac0fb1_cryptolocker.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1012-0-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/files/0x000b00000001226a-11.dat	upx
behavioral1/memory/1012-16-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/2472-25-0x0000000000500000-0x0000000000510000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-09_fe6dddb7d571f1ffc96f9a338dac0fb1_cryptolocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	asih.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1012 wrote to memory of 2472	1012	2024-10-09_fe6dddb7d571f1ffc96f9a338dac0fb1_cryptolocker.exe	31
PID 1012 wrote to memory of 2472	1012	2024-10-09_fe6dddb7d571f1ffc96f9a338dac0fb1_cryptolocker.exe	31
PID 1012 wrote to memory of 2472	1012	2024-10-09_fe6dddb7d571f1ffc96f9a338dac0fb1_cryptolocker.exe	31
PID 1012 wrote to memory of 2472	1012	2024-10-09_fe6dddb7d571f1ffc96f9a338dac0fb1_cryptolocker.exe	31

C:\Users\Admin\AppData\Local\Temp\2024-10-09_fe6dddb7d571f1ffc96f9a338dac0fb1_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-09_fe6dddb7d571f1ffc96f9a338dac0fb1_cryptolocker.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1012
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
39KB

MD5
48aa93d01c7736d2681bb3867294d305

SHA1
528cd8040af5cd912ccb3b0ec58dbae552b50614

SHA256
8858733ab55e783c139870d418b473fd071e6882b6128ad666473354742164c8

SHA512
adec0bec32c859b22f7b881e8a53a4bf3bbea52b5bf9da034b0405223db100042facef9c4e4f2164fc8e58d905a3c5656b13dd4a95e50fdb7e2f7591617f126f

Download Submit
memory/1012-0-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/1012-1-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/1012-2-0x0000000000340000-0x0000000000346000-memory.dmp

Filesize
24KB

Download
memory/1012-9-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/1012-16-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2472-18-0x0000000000300000-0x0000000000306000-memory.dmp

Filesize
24KB

Download
memory/2472-25-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download