c8f090729530813e942467ff04178c9dec99b83be9cbfddefb5d568128c7a478

Analysis

max time kernel
149s
max time network
154s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
14-10-2024 03:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-14_b527c0928aa5a70f9d26767c91f90cf5_cryptolocker.exe
Size

49KB
MD5

b527c0928aa5a70f9d26767c91f90cf5
SHA1

f35f34f20c1f008b96de97c37b973fdd457726b8
SHA256

c8f090729530813e942467ff04178c9dec99b83be9cbfddefb5d568128c7a478
SHA512

fbb8359b8757f115307e12fe6221470e197afd7338759e700c021d7ff6e23fb817f8080013a45a785c292cab9247d8060bb61e6e0431ab473b5f539b06ca2dd0
SSDEEP

768:P6LsoVEeegiZPvEhHSP+gp/QtOOtEvwDpjBBMLZdzuqpXsiE8Wq/Dpkcs:P6Q0ElP6G+gJQMOtEvwDpjB8WMlfs

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2156	asih.exe

Loads dropped DLL 1 IoCs

pid	Process
2736	2024-10-14_b527c0928aa5a70f9d26767c91f90cf5_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-14_b527c0928aa5a70f9d26767c91f90cf5_cryptolocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	asih.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2736 wrote to memory of 2156	2736	2024-10-14_b527c0928aa5a70f9d26767c91f90cf5_cryptolocker.exe	30
PID 2736 wrote to memory of 2156	2736	2024-10-14_b527c0928aa5a70f9d26767c91f90cf5_cryptolocker.exe	30
PID 2736 wrote to memory of 2156	2736	2024-10-14_b527c0928aa5a70f9d26767c91f90cf5_cryptolocker.exe	30
PID 2736 wrote to memory of 2156	2736	2024-10-14_b527c0928aa5a70f9d26767c91f90cf5_cryptolocker.exe	30

C:\Users\Admin\AppData\Local\Temp\2024-10-14_b527c0928aa5a70f9d26767c91f90cf5_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-14_b527c0928aa5a70f9d26767c91f90cf5_cryptolocker.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
49KB

MD5
ccae43631870738d53756486193c85bb

SHA1
2facb725ac68739c6c95442bb06e6c454310071d

SHA256
196d6567c1c3ce4faedcbfa549cd19e6a91c43d9dcde2a50dc605dfb519da79c

SHA512
a5768aac6e7aa39114a75e7a49a7e41d9141c670fccdf896368a9cea741dd8352214082fbd8f2cd47d74949751ca24b78ee56b560fc024a8ab708f6441d2b4a9

Download Submit
memory/2156-16-0x0000000000500000-0x000000000050B000-memory.dmp

Filesize
44KB

Download
memory/2156-25-0x00000000772E0000-0x0000000077489000-memory.dmp

Filesize
1.7MB

Download
memory/2156-18-0x00000000002F0000-0x00000000002F6000-memory.dmp

Filesize
24KB

Download
memory/2156-26-0x0000000000500000-0x000000000050B000-memory.dmp

Filesize
44KB

Download
memory/2736-0-0x0000000000500000-0x000000000050B000-memory.dmp

Filesize
44KB

Download
memory/2736-1-0x00000000004E0000-0x00000000004E6000-memory.dmp

Filesize
24KB

Download
memory/2736-9-0x00000000772E0000-0x0000000077489000-memory.dmp

Filesize
1.7MB

Download
memory/2736-2-0x0000000000600000-0x0000000000606000-memory.dmp

Filesize
24KB

Download
memory/2736-14-0x0000000000500000-0x000000000050B000-memory.dmp

Filesize
44KB

Download