69f03df3c66ce4ed081bbd371a870bd2e051d5b806c77d4a8a45012c877c5460

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14-10-2024 06:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-14_09b74b515bff5dfa485f91f4458361d1_cryptolocker.exe
Size

68KB
MD5

09b74b515bff5dfa485f91f4458361d1
SHA1

40257a441e70fc5a593466d38b588d10d7fb4440
SHA256

69f03df3c66ce4ed081bbd371a870bd2e051d5b806c77d4a8a45012c877c5460
SHA512

a62281afc3e2920707025cc955209a4d23722e3f7a69e07213cd56e721d64eb340769a5f598d8df11204e1abb2942b2c26f02060213ad4afdcb518ba97e88a25
SSDEEP

768:6Qz7yVEhs9+4OR7tOOtEvwDpjLHqPOYRmNxt5I52kGEpE0P/xFIrV:6j+1NMOtEvwDpjr8ox8UDEpN/jCV

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2708	misid.exe

Loads dropped DLL 1 IoCs

pid	Process
2848	2024-10-14_09b74b515bff5dfa485f91f4458361d1_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-14_09b74b515bff5dfa485f91f4458361d1_cryptolocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	misid.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 2708	2848	2024-10-14_09b74b515bff5dfa485f91f4458361d1_cryptolocker.exe	30
PID 2848 wrote to memory of 2708	2848	2024-10-14_09b74b515bff5dfa485f91f4458361d1_cryptolocker.exe	30
PID 2848 wrote to memory of 2708	2848	2024-10-14_09b74b515bff5dfa485f91f4458361d1_cryptolocker.exe	30
PID 2848 wrote to memory of 2708	2848	2024-10-14_09b74b515bff5dfa485f91f4458361d1_cryptolocker.exe	30

C:\Users\Admin\AppData\Local\Temp\2024-10-14_09b74b515bff5dfa485f91f4458361d1_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-14_09b74b515bff5dfa485f91f4458361d1_cryptolocker.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Users\Admin\AppData\Local\Temp\misid.exe
  "C:\Users\Admin\AppData\Local\Temp\misid.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\misid.exe

Filesize
68KB

MD5
568c16bf0359e798d0e8b62517304457

SHA1
a08189900a574dcf8fe41a2c28d43dbc03fc2b47

SHA256
76cd0beb02bf02b4201fec95be83e8227bd964d072bd3791c54d48e7d49aa838

SHA512
2ee7b0c5f5d91d10ad9da39d732b8b76c8a9bf4aec8bbac9dff66cebf582338987f4f0f08afb99ba3dbc35b74e6357d0165a258eb6ae93586e3c2f06e6b17c97

Download Submit
memory/2708-16-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/2708-18-0x00000000002D0000-0x00000000002D6000-memory.dmp

Filesize
24KB

Download
memory/2708-25-0x0000000000250000-0x0000000000256000-memory.dmp

Filesize
24KB

Download
memory/2708-26-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/2848-0-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/2848-2-0x00000000004E0000-0x00000000004E6000-memory.dmp

Filesize
24KB

Download
memory/2848-9-0x00000000004A0000-0x00000000004A6000-memory.dmp

Filesize
24KB

Download
memory/2848-1-0x00000000004A0000-0x00000000004A6000-memory.dmp

Filesize
24KB

Download
memory/2848-14-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download