c349c9d047567cdbc8b885b2a59ad76e51c9bc7d3691406aa07940265c8bffd5

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
14-10-2024 01:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-14_02536bd081f7b8b589f92e75257440e0_cryptolocker.exe
Size

74KB
MD5

02536bd081f7b8b589f92e75257440e0
SHA1

83f30a5dd2588b87df15d0fd3b97a80b23c48986
SHA256

c349c9d047567cdbc8b885b2a59ad76e51c9bc7d3691406aa07940265c8bffd5
SHA512

e503d16a26294239555020afce0617474c825c179498d3baec4cd4966f911636510bb7cd81bc0037594d4a1bb8f778fb2e1adf85470df266fdd38b55514dee94
SSDEEP

1536:vj+jsMQMOtEvwDpj5HwYYTjipvF2hBfVtl:vCjsIOtEvwDpj5H9YvQd2d

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2488	misid.exe

Loads dropped DLL 1 IoCs

pid	Process
1596	2024-10-14_02536bd081f7b8b589f92e75257440e0_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-14_02536bd081f7b8b589f92e75257440e0_cryptolocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	misid.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1596 wrote to memory of 2488	1596	2024-10-14_02536bd081f7b8b589f92e75257440e0_cryptolocker.exe	28
PID 1596 wrote to memory of 2488	1596	2024-10-14_02536bd081f7b8b589f92e75257440e0_cryptolocker.exe	28
PID 1596 wrote to memory of 2488	1596	2024-10-14_02536bd081f7b8b589f92e75257440e0_cryptolocker.exe	28
PID 1596 wrote to memory of 2488	1596	2024-10-14_02536bd081f7b8b589f92e75257440e0_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-10-14_02536bd081f7b8b589f92e75257440e0_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-14_02536bd081f7b8b589f92e75257440e0_cryptolocker.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1596
- C:\Users\Admin\AppData\Local\Temp\misid.exe
  "C:\Users\Admin\AppData\Local\Temp\misid.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\misid.exe

Filesize
74KB

MD5
b0c0d2a9fc369e3fde31b44a8f71962a

SHA1
e0410cf9166e6f6fc643fec1754b8fa1fad180ef

SHA256
096f2f9f9a2782c1ebfbc07eb13f10a91f0bbc32b38c55ec82e7fedd7b806a1a

SHA512
7770f6ca3f04de393f713edb5cc2b1486936f36de4610aaa39213495b1f0397f7c292a6898b5c67a06444c1fd6f3b472539cbc94ce876f455c3e07b9185ccdc8

Download Submit
memory/1596-0-0x0000000000440000-0x0000000000446000-memory.dmp

Filesize
24KB

Download
memory/1596-1-0x0000000000480000-0x0000000000486000-memory.dmp

Filesize
24KB

Download
memory/1596-8-0x0000000000440000-0x0000000000446000-memory.dmp

Filesize
24KB

Download
memory/2488-16-0x0000000000290000-0x0000000000296000-memory.dmp

Filesize
24KB

Download
memory/2488-15-0x00000000001D0000-0x00000000001D6000-memory.dmp

Filesize
24KB

Download