1c97edf3cb6ab40a3ac6c43252b00693a32133e5c450c7e40006ddf670fc7d36

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10/10/2024, 05:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-10-10_91e433859ac228f6d844fc7625dc9a6e_cryptolocker.exe
Size

53KB
MD5

91e433859ac228f6d844fc7625dc9a6e
SHA1

43702ad27a59436bfc8336ca064a09a3763467f3
SHA256

1c97edf3cb6ab40a3ac6c43252b00693a32133e5c450c7e40006ddf670fc7d36
SHA512

b8882a595dec031a6451929d28cfd3880bf6f6e575196a23195a5f1f9f2b72e07f7cd14d16eab5a49260ad3a2a701db82f2f64ff3e9e85422366e277bbd0dca1
SSDEEP

384:icX+ni9VCr5nQI021q4VQBqURYp055TOtOOtEvwDpjqIGR/hHi7/OlIDtW4e:XS5nQJ24LR1bytOOtEvwDpjNbjfe

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2172	misid.exe

Loads dropped DLL 1 IoCs

pid	Process
2528	2024-10-10_91e433859ac228f6d844fc7625dc9a6e_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-10_91e433859ac228f6d844fc7625dc9a6e_cryptolocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	misid.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2528 wrote to memory of 2172	2528	2024-10-10_91e433859ac228f6d844fc7625dc9a6e_cryptolocker.exe	30
PID 2528 wrote to memory of 2172	2528	2024-10-10_91e433859ac228f6d844fc7625dc9a6e_cryptolocker.exe	30
PID 2528 wrote to memory of 2172	2528	2024-10-10_91e433859ac228f6d844fc7625dc9a6e_cryptolocker.exe	30
PID 2528 wrote to memory of 2172	2528	2024-10-10_91e433859ac228f6d844fc7625dc9a6e_cryptolocker.exe	30

C:\Users\Admin\AppData\Local\Temp\2024-10-10_91e433859ac228f6d844fc7625dc9a6e_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-10_91e433859ac228f6d844fc7625dc9a6e_cryptolocker.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Users\Admin\AppData\Local\Temp\misid.exe
  "C:\Users\Admin\AppData\Local\Temp\misid.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\misid.exe

Filesize
53KB

MD5
0458f63f0ccd57db565b766fd6362b2f

SHA1
b3abcd3b2d9fc7116ff3fc20d7147fea23b348eb

SHA256
f234aefe40087c68b93a25cc63f87655f47bcba8a74f0d001865ce0af889efda

SHA512
3c297890bed222f78a4e0ded881b9699c67d7b91ef7a19512947df4424275747c7ce0c9c3ebbfc5c62fbda3c0be58842af1078bd54986d96e3e351be59b40b9b

Download Submit
memory/2172-18-0x0000000000460000-0x0000000000466000-memory.dmp

Filesize
24KB

Download
memory/2172-25-0x0000000000420000-0x0000000000426000-memory.dmp

Filesize
24KB

Download
memory/2172-26-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/2528-0-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/2528-2-0x00000000002C0000-0x00000000002C6000-memory.dmp

Filesize
24KB

Download
memory/2528-9-0x0000000000280000-0x0000000000286000-memory.dmp

Filesize
24KB

Download
memory/2528-1-0x0000000000280000-0x0000000000286000-memory.dmp

Filesize
24KB

Download
memory/2528-15-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download