789ea0e6cb106ae065518e0d37b869b454c072a11b57d34297b0dd452fd1b34a

Analysis

max time kernel
141s
max time network
139s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14-10-2024 07:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-14_fff0fcd58125e18e34b0893187dc1788_cryptolocker.exe
Size

28KB
MD5

fff0fcd58125e18e34b0893187dc1788
SHA1

7285a0071f3b5347748dc68ac697c699b7764db2
SHA256

789ea0e6cb106ae065518e0d37b869b454c072a11b57d34297b0dd452fd1b34a
SHA512

2a478bcc4cfcc97169ff3a0da9825db18697c0cf88038b4ca2295629d90f4860d5ba649f4c574ce46d006d6ac533a0e185b0242ddd0f6ef6a2d0d3ac17f5b28f
SSDEEP

768:jOb2gOo0mw18ae8MrQRN7DctOOtEvwDpjQR:jKUog898rYMOtEvwDpj8

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1808	asih.exe

Loads dropped DLL 1 IoCs

pid	Process
1708	2024-10-14_fff0fcd58125e18e34b0893187dc1788_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-14_fff0fcd58125e18e34b0893187dc1788_cryptolocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	asih.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 1808	1708	2024-10-14_fff0fcd58125e18e34b0893187dc1788_cryptolocker.exe	30
PID 1708 wrote to memory of 1808	1708	2024-10-14_fff0fcd58125e18e34b0893187dc1788_cryptolocker.exe	30
PID 1708 wrote to memory of 1808	1708	2024-10-14_fff0fcd58125e18e34b0893187dc1788_cryptolocker.exe	30
PID 1708 wrote to memory of 1808	1708	2024-10-14_fff0fcd58125e18e34b0893187dc1788_cryptolocker.exe	30

C:\Users\Admin\AppData\Local\Temp\2024-10-14_fff0fcd58125e18e34b0893187dc1788_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-14_fff0fcd58125e18e34b0893187dc1788_cryptolocker.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
29KB

MD5
99d33136a8cfb6939416212073ab6f54

SHA1
a0072f92e9a19b50e7e63ef97307693898a43f8e

SHA256
c736618a119418dbebc4e47440893ad94c70228f6e50a1d6c2e8c7374d7dfa74

SHA512
4085fbd83f68acd966a5743a2463137912ca1f6089d4fd3cff7526013d6f0d05c55cc03d374a2df3d485be6f8fe56ab0751ed5b4197291290f7097e3ceeb22b2

Download Submit
memory/1708-0-0x0000000000500000-0x0000000000514000-memory.dmp

Filesize
80KB

Download
memory/1708-10-0x0000000000250000-0x0000000000256000-memory.dmp

Filesize
24KB

Download
memory/1708-2-0x0000000000490000-0x0000000000496000-memory.dmp

Filesize
24KB

Download
memory/1708-1-0x0000000000250000-0x0000000000256000-memory.dmp

Filesize
24KB

Download
memory/1708-14-0x0000000002990000-0x00000000029A4000-memory.dmp

Filesize
80KB

Download
memory/1708-16-0x0000000000500000-0x0000000000514000-memory.dmp

Filesize
80KB

Download
memory/1808-19-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/1808-20-0x0000000000480000-0x0000000000486000-memory.dmp

Filesize
24KB

Download
memory/1808-27-0x0000000000500000-0x0000000000514000-memory.dmp

Filesize
80KB

Download