4fc417c24b95b1b7aad338461dc00cc296e8a753e0f6a348ac5eb834fe32374d

Analysis

max time kernel
150s
max time network
155s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
20/11/2024, 03:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-20_8f1bd96d2a24342802d85a5df98fbc21_cryptolocker.exe
Size

32KB
MD5

8f1bd96d2a24342802d85a5df98fbc21
SHA1

2211ab148be2ee86ad735491112dabc2eacefbd6
SHA256

4fc417c24b95b1b7aad338461dc00cc296e8a753e0f6a348ac5eb834fe32374d
SHA512

0c1d7f027a4fe88f9a239e15754f3821a32ef3d0e15f3aec939d6a4e348026d889fa6408777b152496cb1719a53ffed26914138c0654858fb2522f4a97d8db21
SSDEEP

768:X6LsoEEeegiZPvEhHSG+gp/QtOOtEvwDpjB9iNLF:X6QFElP6n+gJQMOtEvwDpjBY

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
604	asih.exe

Loads dropped DLL 1 IoCs

pid	Process
2524	2024-11-20_8f1bd96d2a24342802d85a5df98fbc21_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-20_8f1bd96d2a24342802d85a5df98fbc21_cryptolocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	asih.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 604	2524	2024-11-20_8f1bd96d2a24342802d85a5df98fbc21_cryptolocker.exe	30
PID 2524 wrote to memory of 604	2524	2024-11-20_8f1bd96d2a24342802d85a5df98fbc21_cryptolocker.exe	30
PID 2524 wrote to memory of 604	2524	2024-11-20_8f1bd96d2a24342802d85a5df98fbc21_cryptolocker.exe	30
PID 2524 wrote to memory of 604	2524	2024-11-20_8f1bd96d2a24342802d85a5df98fbc21_cryptolocker.exe	30

C:\Users\Admin\AppData\Local\Temp\2024-11-20_8f1bd96d2a24342802d85a5df98fbc21_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-20_8f1bd96d2a24342802d85a5df98fbc21_cryptolocker.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
32KB

MD5
ba5290fecc8854c91a3f34bc3bc832e0

SHA1
1f725fa1d2174b472e679ceb29d971f5719b9e20

SHA256
7a399d062da98487c7c06ffbe81767b4ee1e157bb6137cb34653306c917a7223

SHA512
246e63e7cdd5e2a0508d87b7945444c7cd6d7ca9135d0b1845b12a5c39d9a905bced30bbe27bbd7a1581bf124aa9f52106007bf3b2dfbc8279b2c3257ba5ee6f

Download Submit
memory/604-16-0x00000000004B0000-0x00000000004B6000-memory.dmp

Filesize
24KB

Download
memory/604-15-0x00000000001D0000-0x00000000001D6000-memory.dmp

Filesize
24KB

Download
memory/2524-8-0x0000000000430000-0x0000000000436000-memory.dmp

Filesize
24KB

Download
memory/2524-1-0x0000000000460000-0x0000000000466000-memory.dmp

Filesize
24KB

Download
memory/2524-0-0x0000000000430000-0x0000000000436000-memory.dmp

Filesize
24KB

Download