15ac6a5217362da024162afddf764bd5a48330d2f9de2c8bdf3712253f63809e

Analysis

max time kernel
132s
max time network
140s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14-10-2024 06:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-14_8fe0a1098e54a3f1041b11515f89635c_cryptolocker.exe
Size

38KB
MD5

8fe0a1098e54a3f1041b11515f89635c
SHA1

49fde83653b26c3732c93a7a377b86924e63d9eb
SHA256

15ac6a5217362da024162afddf764bd5a48330d2f9de2c8bdf3712253f63809e
SHA512

05d4c84f64cdacdadcdd29a35211511399fb021b8ace71f0b7d6985aaeefcef58449d139837fa8eab91170d353215884b523c0369d87f40207ffa976a7ce2a3c
SSDEEP

768:X6LsoEEeegiZPvEhHSG+gp/QtOOtEvwDpjBVaD3TP7DFHSO:X6QFElP6n+gJQMOtEvwDpjBmzDIO

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
108	asih.exe

Loads dropped DLL 1 IoCs

pid	Process
2432	2024-10-14_8fe0a1098e54a3f1041b11515f89635c_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-14_8fe0a1098e54a3f1041b11515f89635c_cryptolocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	asih.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2432 wrote to memory of 108	2432	2024-10-14_8fe0a1098e54a3f1041b11515f89635c_cryptolocker.exe	31
PID 2432 wrote to memory of 108	2432	2024-10-14_8fe0a1098e54a3f1041b11515f89635c_cryptolocker.exe	31
PID 2432 wrote to memory of 108	2432	2024-10-14_8fe0a1098e54a3f1041b11515f89635c_cryptolocker.exe	31
PID 2432 wrote to memory of 108	2432	2024-10-14_8fe0a1098e54a3f1041b11515f89635c_cryptolocker.exe	31

C:\Users\Admin\AppData\Local\Temp\2024-10-14_8fe0a1098e54a3f1041b11515f89635c_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-14_8fe0a1098e54a3f1041b11515f89635c_cryptolocker.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
38KB

MD5
8a234aabed80efae1de7471df43c3a4c

SHA1
0223fa9362f9bfcdc064d010ee2deaa6b95d5793

SHA256
124637f5f9b2d121d34b74722fdb3c10ceed279d935269264a25c8428fbdc5b8

SHA512
b1e5694594d4ea4fd7b46052f1a6123457780f94cd23f9d60aa2b6f680abf2f862806345e86739ec5efafefe78534ceb1e11987a367e1d5da3c85b63140d6842

Download Submit
memory/108-22-0x00000000001D0000-0x00000000001D6000-memory.dmp

Filesize
24KB

Download
memory/108-15-0x0000000000210000-0x0000000000216000-memory.dmp

Filesize
24KB

Download
memory/2432-0-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/2432-1-0x00000000002C0000-0x00000000002C6000-memory.dmp

Filesize
24KB

Download
memory/2432-8-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download