f9fcd9ec35963474cc6cf20c2f651d4003f9cd394bf5609ca0c8e16b3cc8df95

Analysis

max time kernel
149s
max time network
154s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
15/10/2024, 07:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-15_54140d0fbd85f90d296cbb36b24d7e1c_cryptolocker.exe
Size

31KB
MD5

54140d0fbd85f90d296cbb36b24d7e1c
SHA1

2828985d00f4d250f1456c0852e0e65c2df454f5
SHA256

f9fcd9ec35963474cc6cf20c2f651d4003f9cd394bf5609ca0c8e16b3cc8df95
SHA512

a52e2f60b1ddaadafa5082b2a538ac9784f25ec920db1295ed0768a0e2a9577e2d04ce475458efa8b15952da85a38887bc4b25a7171525a0705f67ed91e435bf
SSDEEP

384:bA74uGLLQRcsdeQ72ngEr4K7YmE8j60nrlwfjDUgIunIVpeNMq2:bA74zYcgT/Ekd0ryfjPIunqpeN0

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2028	hasfj.exe

Loads dropped DLL 1 IoCs

pid	Process
2128	2024-10-15_54140d0fbd85f90d296cbb36b24d7e1c_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-15_54140d0fbd85f90d296cbb36b24d7e1c_cryptolocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hasfj.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 2028	2128	2024-10-15_54140d0fbd85f90d296cbb36b24d7e1c_cryptolocker.exe	30
PID 2128 wrote to memory of 2028	2128	2024-10-15_54140d0fbd85f90d296cbb36b24d7e1c_cryptolocker.exe	30
PID 2128 wrote to memory of 2028	2128	2024-10-15_54140d0fbd85f90d296cbb36b24d7e1c_cryptolocker.exe	30
PID 2128 wrote to memory of 2028	2128	2024-10-15_54140d0fbd85f90d296cbb36b24d7e1c_cryptolocker.exe	30

C:\Users\Admin\AppData\Local\Temp\2024-10-15_54140d0fbd85f90d296cbb36b24d7e1c_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-15_54140d0fbd85f90d296cbb36b24d7e1c_cryptolocker.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Users\Admin\AppData\Local\Temp\hasfj.exe
  "C:\Users\Admin\AppData\Local\Temp\hasfj.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\hasfj.exe

Filesize
31KB

MD5
bb0abdd1c914dc935ac636d065ca95e8

SHA1
6209194ff79f9ebd14e0e15ae2bd9b40f1818f60

SHA256
5ce8bb18a1b345f58207aa6a0758d428251e1856d83e76f3143f9c878be859b4

SHA512
c16935b7c8a50743aa25735bdeb3cb88255c71448ab58f2bb71985204c22dd2a97daa26dbc0eae873170b068337ea4d5dd00f929dfbc6033836c3902df3c7ccf

Download Submit
memory/2028-22-0x0000000000280000-0x0000000000286000-memory.dmp

Filesize
24KB

Download
memory/2028-15-0x00000000002A0000-0x00000000002A6000-memory.dmp

Filesize
24KB

Download
memory/2128-0-0x00000000005B0000-0x00000000005B6000-memory.dmp

Filesize
24KB

Download
memory/2128-1-0x00000000005B0000-0x00000000005B6000-memory.dmp

Filesize
24KB

Download
memory/2128-2-0x00000000005D0000-0x00000000005D6000-memory.dmp

Filesize
24KB

Download