35b92b685236a34c66152534895472c3c89ebc9590d99ff637ef39e4db49cabe

Analysis

max time kernel
132s
max time network
140s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17-10-2024 20:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-17_cc0bb5494630d518952f7f3dff580ced_cryptolocker.exe
Size

34KB
MD5

cc0bb5494630d518952f7f3dff580ced
SHA1

a1b15a5d657f89c636bf8b58e0db0742fd1d6382
SHA256

35b92b685236a34c66152534895472c3c89ebc9590d99ff637ef39e4db49cabe
SHA512

328c77642b48d45e702b92cf427c20b198f8d7480b79abfa2e1504112d1ab08f8fbeefb20ff0d129f6b53ab391502d7edb7554984c820d3c7b525755bd00ed21
SSDEEP

768:X6LsoEEeegiZPvEhHSG+gp/QtOOtEvwDpjBjb1iIJS9l:X6QFElP6n+gJQMOtEvwDpjBngH9l

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2312	asih.exe

Loads dropped DLL 1 IoCs

pid	Process
1204	2024-10-17_cc0bb5494630d518952f7f3dff580ced_cryptolocker.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-17_cc0bb5494630d518952f7f3dff580ced_cryptolocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	asih.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1204 wrote to memory of 2312	1204	2024-10-17_cc0bb5494630d518952f7f3dff580ced_cryptolocker.exe	30
PID 1204 wrote to memory of 2312	1204	2024-10-17_cc0bb5494630d518952f7f3dff580ced_cryptolocker.exe	30
PID 1204 wrote to memory of 2312	1204	2024-10-17_cc0bb5494630d518952f7f3dff580ced_cryptolocker.exe	30
PID 1204 wrote to memory of 2312	1204	2024-10-17_cc0bb5494630d518952f7f3dff580ced_cryptolocker.exe	30

C:\Users\Admin\AppData\Local\Temp\2024-10-17_cc0bb5494630d518952f7f3dff580ced_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-17_cc0bb5494630d518952f7f3dff580ced_cryptolocker.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
34KB

MD5
5b34d4f901e827b1ebcbeaf90e047e85

SHA1
cc875605e3434c47df30fb00c266e61585a0542e

SHA256
47c902ec05b576e4890b15f5fd92fbf21ee1df0c76b339fb2c5573ddb28995bd

SHA512
8c5fe16db1aaa7885779084b07d49148f77428451ad9cbabde8776124b4a6fd04050b4bcf779ae87f42bf22dc7e30223763fb62f6badec03b5c5e9fb667a5589

Download Submit
memory/1204-1-0x0000000000350000-0x0000000000356000-memory.dmp

Filesize
24KB

Download
memory/1204-0-0x0000000000310000-0x0000000000316000-memory.dmp

Filesize
24KB

Download
memory/1204-9-0x0000000000310000-0x0000000000316000-memory.dmp

Filesize
24KB

Download
memory/2312-22-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/2312-15-0x0000000000280000-0x0000000000286000-memory.dmp

Filesize
24KB

Download