98b9c302509354235bf58e27583b9e9387abc609283a8545a1918175b9069158

Analysis

max time kernel
119s
max time network
124s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
14/10/2024, 03:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-14_9a7fb637897e9886d86f887f52e53f07_cryptolocker.exe
Size

72KB
MD5

9a7fb637897e9886d86f887f52e53f07
SHA1

872a33681121617e28d3d90ac6d9f6b034b47c7b
SHA256

98b9c302509354235bf58e27583b9e9387abc609283a8545a1918175b9069158
SHA512

71103e1fb37516c0c90d1378bb56b22e83820e404282441e92f8d69fa224e1071ccca7c2ffa35388168348acf2959bce68e34f59efa9d536c21803e9f7315afb
SSDEEP

768:vQz7yVEhs9+js1SQtOOtEvwDpjz9+4ZPsED3VK2+ZtyOjgO4r9vFAg2rq2g1B/Ra:vj+jsMQMOtEvwDpj5HZYTjipvF24xg

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2480	misid.exe

Loads dropped DLL 1 IoCs

pid	Process
2208	2024-10-14_9a7fb637897e9886d86f887f52e53f07_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-14_9a7fb637897e9886d86f887f52e53f07_cryptolocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	misid.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 2480	2208	2024-10-14_9a7fb637897e9886d86f887f52e53f07_cryptolocker.exe	30
PID 2208 wrote to memory of 2480	2208	2024-10-14_9a7fb637897e9886d86f887f52e53f07_cryptolocker.exe	30
PID 2208 wrote to memory of 2480	2208	2024-10-14_9a7fb637897e9886d86f887f52e53f07_cryptolocker.exe	30
PID 2208 wrote to memory of 2480	2208	2024-10-14_9a7fb637897e9886d86f887f52e53f07_cryptolocker.exe	30

C:\Users\Admin\AppData\Local\Temp\2024-10-14_9a7fb637897e9886d86f887f52e53f07_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-14_9a7fb637897e9886d86f887f52e53f07_cryptolocker.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Users\Admin\AppData\Local\Temp\misid.exe
  "C:\Users\Admin\AppData\Local\Temp\misid.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\misid.exe

Filesize
72KB

MD5
26c7cdd2ffecab08d9f36ddca81c5e84

SHA1
202a0151f7b5cb7be7168e888ffe575b6c89a940

SHA256
d29220797b5741b76a3490c3543def2c91a7f286a921705c742ea54e0fe5948c

SHA512
89c32d2b42579c3d636fedfa7f9789bc1ecf8e6e8ebb6bfaaec04b3487096a35de3b8f66737176ec92d80c6ffef30d8f9447dbf83760532809e2145582a37c29

Download Submit
memory/2208-0-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/2208-1-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/2208-2-0x0000000000270000-0x0000000000276000-memory.dmp

Filesize
24KB

Download
memory/2480-16-0x0000000000330000-0x0000000000336000-memory.dmp

Filesize
24KB

Download
memory/2480-15-0x00000000002C0000-0x00000000002C6000-memory.dmp

Filesize
24KB

Download