b8dd6e857ec45b7c565fda75d22b4007489f974066bc83ef0d84e3cfecb93243

Analysis

max time kernel
132s
max time network
140s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
31-10-2024 08:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-31_965875f7a734c5b036ab12b9e54a676f_cryptolocker.exe
Size

48KB
MD5

965875f7a734c5b036ab12b9e54a676f
SHA1

1cc5007f32e66aca623d680ffbfd63d60e6204d5
SHA256

b8dd6e857ec45b7c565fda75d22b4007489f974066bc83ef0d84e3cfecb93243
SHA512

d04990e89983d893b2bb41766f49df02214dbf528d863b553d592bdc0c860e0b1b0cdd667b694fcaa1170dfea4bc5ea888cce32d0123311a6b715c0daa811228
SSDEEP

768:P6LsoEEeegiZPvEhHS5+Mh/QtOOtEvwDpjBpaD3TUogs/VXpAPlAl:P6QFElP6k+MRQMOtEvwDpjBQpVX8Al

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2512	asih.exe

Loads dropped DLL 1 IoCs

pid	Process
2124	2024-10-31_965875f7a734c5b036ab12b9e54a676f_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-31_965875f7a734c5b036ab12b9e54a676f_cryptolocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	asih.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 2512	2124	2024-10-31_965875f7a734c5b036ab12b9e54a676f_cryptolocker.exe	30
PID 2124 wrote to memory of 2512	2124	2024-10-31_965875f7a734c5b036ab12b9e54a676f_cryptolocker.exe	30
PID 2124 wrote to memory of 2512	2124	2024-10-31_965875f7a734c5b036ab12b9e54a676f_cryptolocker.exe	30
PID 2124 wrote to memory of 2512	2124	2024-10-31_965875f7a734c5b036ab12b9e54a676f_cryptolocker.exe	30

C:\Users\Admin\AppData\Local\Temp\2024-10-31_965875f7a734c5b036ab12b9e54a676f_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-31_965875f7a734c5b036ab12b9e54a676f_cryptolocker.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
48KB

MD5
6f389e867a1f4abd975eea031f4eb45b

SHA1
5afa3538b89c0eb45e64a2f3d43fe772b05ada3a

SHA256
1cd1144fcf854e8db677dc801cf599f26ae9cb0755a1ba88ada4215c10f09e40

SHA512
55a5b4ef653a5c59275fdcb72baf5bcc1cbae8bb8d820b506b9682e13764c1c736b1a3b6bcb77fa4b0da809ed71f47b353b188aaeff7185f3e9018f543de7217

Download Submit
memory/2124-0-0x0000000000500000-0x000000000050B000-memory.dmp

Filesize
44KB

Download
memory/2124-1-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/2124-2-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/2124-3-0x0000000000290000-0x0000000000296000-memory.dmp

Filesize
24KB

Download
memory/2124-14-0x0000000000500000-0x000000000050B000-memory.dmp

Filesize
44KB

Download
memory/2512-24-0x00000000002C0000-0x00000000002C6000-memory.dmp

Filesize
24KB

Download
memory/2512-17-0x0000000000300000-0x0000000000306000-memory.dmp

Filesize
24KB

Download
memory/2512-25-0x0000000000500000-0x000000000050B000-memory.dmp

Filesize
44KB

Download