Analysis
-
max time kernel
141s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09/11/2024, 11:24
Behavioral task
behavioral1
Sample
2024-11-09_4c7064174b872b8d7086694704e135c7_cryptolocker.exe
Resource
win7-20240903-en
General
-
Target
2024-11-09_4c7064174b872b8d7086694704e135c7_cryptolocker.exe
-
Size
39KB
-
MD5
4c7064174b872b8d7086694704e135c7
-
SHA1
779d5c995094badd408f22b1a8e7b03caf2beb83
-
SHA256
56b9f616185b04f68953da9b8438ddc36c35a89f43ee17468fd2884aec9eab45
-
SHA512
432363f2424a2240cc8969e3c2fc0550030cb89707e8cfa4fe3d216f41c2a926f359dbc8817a8a40d191396827637ea64fa7c735c14b941e2999d5b311c10c22
-
SSDEEP
768:q7PdFecFS5agQtOOtEvwDpjeMLZdzuqpXsiE8Wq/DpkITW:qDdFJy3QMOtEvwDpjjWMl7TW
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3068 asih.exe -
Loads dropped DLL 1 IoCs
pid Process 2572 2024-11-09_4c7064174b872b8d7086694704e135c7_cryptolocker.exe -
resource yara_rule behavioral1/memory/2572-0-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral1/files/0x000d00000001227f-11.dat upx behavioral1/memory/3068-17-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral1/memory/2572-16-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral1/memory/3068-27-0x0000000000500000-0x0000000000510000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-09_4c7064174b872b8d7086694704e135c7_cryptolocker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language asih.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2572 wrote to memory of 3068 2572 2024-11-09_4c7064174b872b8d7086694704e135c7_cryptolocker.exe 31 PID 2572 wrote to memory of 3068 2572 2024-11-09_4c7064174b872b8d7086694704e135c7_cryptolocker.exe 31 PID 2572 wrote to memory of 3068 2572 2024-11-09_4c7064174b872b8d7086694704e135c7_cryptolocker.exe 31 PID 2572 wrote to memory of 3068 2572 2024-11-09_4c7064174b872b8d7086694704e135c7_cryptolocker.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-11-09_4c7064174b872b8d7086694704e135c7_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-11-09_4c7064174b872b8d7086694704e135c7_cryptolocker.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Users\Admin\AppData\Local\Temp\asih.exe"C:\Users\Admin\AppData\Local\Temp\asih.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3068
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
39KB
MD53bad014301d7655250d2e13d800bdb88
SHA1e4f09c81bbd39d8dbda9688a73bb4a99f2e00525
SHA256a661455bf16772d12a3b7a207823e0a8044f9e9077f7ad025381044524e3b4b4
SHA51201e0b6dabbda989b6cf78c624f6ba14af4144884e430311e8a5d289cc1ee871cfa703bb635f2710bf7ffb7cd29cd48f7365bce8dfdf564f1a9a511d79ab62f6c