37b149682386bb9a88bbf0547740b5e9ab960564861e06c945a5f869be3b2566

Analysis

max time kernel
132s
max time network
140s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21/11/2024, 10:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-21_17c93a561d9f8f8c5674d46b6674ae59_cryptolocker.exe
Size

55KB
MD5

17c93a561d9f8f8c5674d46b6674ae59
SHA1

e8500c1bf7a517feb30d434c0b11a8ae9ce443d9
SHA256

37b149682386bb9a88bbf0547740b5e9ab960564861e06c945a5f869be3b2566
SHA512

7e59dd0f1735198c39fa7981d549308cc8b01264c5221952227bea6545b6b8e06e1e28d483f02eb453f9e7a7ea1537fae1ac51845c87efbf5dc865e03c73d73f
SSDEEP

768:X6LsoEEeegiZPvEhHSG+gp/BtOOtEvwDpjBVaD3E09vxmlcaTIZ:X6QFElP6n+gJBMOtEvwDpjBtExmle

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1276	asih.exe

Loads dropped DLL 1 IoCs

pid	Process
1128	2024-11-21_17c93a561d9f8f8c5674d46b6674ae59_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	asih.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_17c93a561d9f8f8c5674d46b6674ae59_cryptolocker.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1128 wrote to memory of 1276	1128	2024-11-21_17c93a561d9f8f8c5674d46b6674ae59_cryptolocker.exe	31
PID 1128 wrote to memory of 1276	1128	2024-11-21_17c93a561d9f8f8c5674d46b6674ae59_cryptolocker.exe	31
PID 1128 wrote to memory of 1276	1128	2024-11-21_17c93a561d9f8f8c5674d46b6674ae59_cryptolocker.exe	31
PID 1128 wrote to memory of 1276	1128	2024-11-21_17c93a561d9f8f8c5674d46b6674ae59_cryptolocker.exe	31

C:\Users\Admin\AppData\Local\Temp\2024-11-21_17c93a561d9f8f8c5674d46b6674ae59_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-21_17c93a561d9f8f8c5674d46b6674ae59_cryptolocker.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1128
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
55KB

MD5
42206b03ac80206a22453bd031c8f57f

SHA1
b529e31cbd9b3574f14f58a0e645c64128ed3238

SHA256
909368824c6db70d9ff8c12ee7801d53e8243d3e559e9cd60b83e52031bd5156

SHA512
8929797081243991d7fcfce4800d9b4b57bbd3f67c38ae35e4cd5d809c9757263ace51223f16ded2a939495997408b372e3f41f64c529af7e42114c3b85f5f19

Download Submit
memory/1128-0-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/1128-1-0x0000000000480000-0x0000000000486000-memory.dmp

Filesize
24KB

Download
memory/1128-8-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/1276-22-0x0000000000320000-0x0000000000326000-memory.dmp

Filesize
24KB

Download
memory/1276-15-0x0000000000470000-0x0000000000476000-memory.dmp

Filesize
24KB

Download