a4abe13faae5eeff9be07efd7f91771a1f6fae7c22cf955cd1333fd4849a3447

Analysis

max time kernel
132s
max time network
140s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
20/11/2024, 05:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-20_10177985ce018afc53d98a0d20179213_cryptolocker.exe
Size

55KB
MD5

10177985ce018afc53d98a0d20179213
SHA1

861c33724090cce547497d6269802e1cdd2d7374
SHA256

a4abe13faae5eeff9be07efd7f91771a1f6fae7c22cf955cd1333fd4849a3447
SHA512

8ffb1beae30de4c98c98d76bef5f7d6de0e4c1bb1f5b275805863869547bf9f697197efba3b253b946622ab3495b734c1f4abe7132d6f40abd87fd0cca3f24bb
SSDEEP

768:X6LsoEEeegiZPvEhHSG+gp/BtOOtEvwDpjBVaD3E09vxmlcaTIz:X6QFElP6n+gJBMOtEvwDpjBtExml4

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
340	asih.exe

Loads dropped DLL 1 IoCs

pid	Process
2368	2024-11-20_10177985ce018afc53d98a0d20179213_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-20_10177985ce018afc53d98a0d20179213_cryptolocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	asih.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 340	2368	2024-11-20_10177985ce018afc53d98a0d20179213_cryptolocker.exe	30
PID 2368 wrote to memory of 340	2368	2024-11-20_10177985ce018afc53d98a0d20179213_cryptolocker.exe	30
PID 2368 wrote to memory of 340	2368	2024-11-20_10177985ce018afc53d98a0d20179213_cryptolocker.exe	30
PID 2368 wrote to memory of 340	2368	2024-11-20_10177985ce018afc53d98a0d20179213_cryptolocker.exe	30

C:\Users\Admin\AppData\Local\Temp\2024-11-20_10177985ce018afc53d98a0d20179213_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-20_10177985ce018afc53d98a0d20179213_cryptolocker.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
55KB

MD5
e0a21334240c1eb8d9c5ce6c286c8f37

SHA1
b988031573c9d03d2e3f736020917fe310290b05

SHA256
7a61fb6b50036d9789bcc50baad14ac956ae57c6c5b816973af7423e3f3a5be5

SHA512
39437a78b4a45a74a271fdc938c0a495bc327ed5c41e5c2dafdbe2cbbe561cef54ccc962036bf0d40c943efec3c28800321a98eea9c92d40f246ff61f88bd0c4

Download Submit
memory/340-22-0x0000000000330000-0x0000000000336000-memory.dmp

Filesize
24KB

Download
memory/2368-7-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/2368-1-0x0000000000370000-0x0000000000376000-memory.dmp

Filesize
24KB

Download
memory/2368-0-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download