4be1b03b65305245a019f7a417da9df306d2982e02258913a5b2a1169155a45b

Analysis

max time kernel
148s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14/10/2024, 06:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-10-14_aeaf879a2dce317516752ce5393f7a4e_cryptolocker.exe
Size

97KB
MD5

aeaf879a2dce317516752ce5393f7a4e
SHA1

6c552cc2be087b1146e47fc946a9db9315e8f83e
SHA256

4be1b03b65305245a019f7a417da9df306d2982e02258913a5b2a1169155a45b
SHA512

11b955b96e8724b6e2a188819697ae14fa16d97b4a2a55b8fdcfcb39eb96b4adb7d0b798bc9840e4b31a502496227de883b9d3277c682543cfd6f1642a1716cd
SSDEEP

1536:qkmnpomddpMOtEvwDpjJGYQbN/PKwNgpwqWsviPC:AnBdOOtEvwDpj6zE

Score

7^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2712	asih.exe

Loads dropped DLL 1 IoCs

pid	Process
2792	2024-10-14_aeaf879a2dce317516752ce5393f7a4e_cryptolocker.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2792-0-0x0000000000500000-0x000000000050F000-memory.dmp	upx
behavioral1/files/0x0007000000012101-11.dat	upx
behavioral1/memory/2792-16-0x0000000000500000-0x000000000050F000-memory.dmp	upx
behavioral1/memory/2712-26-0x0000000000500000-0x000000000050F000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-14_aeaf879a2dce317516752ce5393f7a4e_cryptolocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	asih.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2792 wrote to memory of 2712	2792	2024-10-14_aeaf879a2dce317516752ce5393f7a4e_cryptolocker.exe	30
PID 2792 wrote to memory of 2712	2792	2024-10-14_aeaf879a2dce317516752ce5393f7a4e_cryptolocker.exe	30
PID 2792 wrote to memory of 2712	2792	2024-10-14_aeaf879a2dce317516752ce5393f7a4e_cryptolocker.exe	30
PID 2792 wrote to memory of 2712	2792	2024-10-14_aeaf879a2dce317516752ce5393f7a4e_cryptolocker.exe	30

C:\Users\Admin\AppData\Local\Temp\2024-10-14_aeaf879a2dce317516752ce5393f7a4e_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-14_aeaf879a2dce317516752ce5393f7a4e_cryptolocker.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
97KB

MD5
6261b92e059e99e6da4084c2de19f08d

SHA1
a2949862aacc5774c4e68d4c640ef5af15e0bc0e

SHA256
9e8d80b455fca384eda2348fcddfeda13cb392b81b58e4d4ffcb5e9f90685ae2

SHA512
7c9777d8b25b2b89252252602bdef27e50ff919d8a4af958eab3621f2c7e39ac6d8003926af77c96b193aadee104d8c7696621dd68476a19bd8ef9f9659fee42

Download Submit
memory/2712-18-0x00000000004E0000-0x00000000004E6000-memory.dmp

Filesize
24KB

Download
memory/2712-19-0x0000000000530000-0x0000000000536000-memory.dmp

Filesize
24KB

Download
memory/2712-26-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/2792-0-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/2792-1-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/2792-2-0x00000000002C0000-0x00000000002C6000-memory.dmp

Filesize
24KB

Download
memory/2792-9-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/2792-16-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download