cfee4864a0b9418a1cf617f281b2601fedd0f65f193884c63ef147de5adcd943

Analysis

max time kernel
141s
max time network
139s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17-10-2024 19:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-17_b60c4de3fb4aa80acd67e125bb16c3fa_cryptolocker.exe
Size

91KB
MD5

b60c4de3fb4aa80acd67e125bb16c3fa
SHA1

dce92e3f72e96dc6f3d06bcbfa2e073d72d21e91
SHA256

cfee4864a0b9418a1cf617f281b2601fedd0f65f193884c63ef147de5adcd943
SHA512

ded9c8cf7e532874fb232a5668d7a131ba43984e203b9e443da7cf61a7b5b59d552ffa618f91b43571acb076e609b7dfa4acb9cf06658c14774f07134cb741b2
SSDEEP

1536:qkmnpomddpMOtEvwDpjJGYQbN/PKwNgp0P:AnBdOOtEvwDpj6z3

Score

7^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2540	asih.exe

Loads dropped DLL 1 IoCs

pid	Process
3040	2024-10-17_b60c4de3fb4aa80acd67e125bb16c3fa_cryptolocker.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3040-0-0x0000000000500000-0x000000000050F000-memory.dmp	upx
behavioral1/files/0x00080000000120f9-16.dat	upx
behavioral1/memory/3040-15-0x0000000000500000-0x000000000050F000-memory.dmp	upx
behavioral1/memory/2540-26-0x0000000000500000-0x000000000050F000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-17_b60c4de3fb4aa80acd67e125bb16c3fa_cryptolocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	asih.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 2540	3040	2024-10-17_b60c4de3fb4aa80acd67e125bb16c3fa_cryptolocker.exe	30
PID 3040 wrote to memory of 2540	3040	2024-10-17_b60c4de3fb4aa80acd67e125bb16c3fa_cryptolocker.exe	30
PID 3040 wrote to memory of 2540	3040	2024-10-17_b60c4de3fb4aa80acd67e125bb16c3fa_cryptolocker.exe	30
PID 3040 wrote to memory of 2540	3040	2024-10-17_b60c4de3fb4aa80acd67e125bb16c3fa_cryptolocker.exe	30

C:\Users\Admin\AppData\Local\Temp\2024-10-17_b60c4de3fb4aa80acd67e125bb16c3fa_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-17_b60c4de3fb4aa80acd67e125bb16c3fa_cryptolocker.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
91KB

MD5
8c7a3bc09a9642be7e92fd36bdc9dfb6

SHA1
4e63cb586d6219fb4c303939390c82bb6f3c3e04

SHA256
0dcf694af4de44f77c4354276809f4110680339b0cfd3f0071e5802c38301b8b

SHA512
c87f0defbf9f9c893620d23bb153bbebc7b835ac28860bd21a39368048c7c4d72ff6b771c3b1d3e71f591b3d42c58b863ec9afda0cbf73052ebf96a106fd6664

Download Submit
memory/2540-25-0x0000000000360000-0x0000000000366000-memory.dmp

Filesize
24KB

Download
memory/2540-18-0x00000000004B0000-0x00000000004B6000-memory.dmp

Filesize
24KB

Download
memory/2540-26-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/3040-0-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/3040-9-0x00000000001D0000-0x00000000001D6000-memory.dmp

Filesize
24KB

Download
memory/3040-1-0x00000000001D0000-0x00000000001D6000-memory.dmp

Filesize
24KB

Download
memory/3040-2-0x0000000000290000-0x0000000000296000-memory.dmp

Filesize
24KB

Download
memory/3040-15-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download