Overview

overview

10

Static

static

10

2024-01-23...er.exe

windows7-x64

9

2024-01-23...er.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    0s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-01-2024 18:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-01-23_3fb587284baf557e6276f27ec9901bfd_cryptolocker.exe

  • Size

    40KB

  • MD5

    3fb587284baf557e6276f27ec9901bfd

  • SHA1

    1271c73bc46ecd7e9a23cd6511736a95b85a2369

  • SHA256

    2edf794a44c3d5538ea5e90f5a57e98e5382aa31663f300cd97b57572e395a77

  • SHA512

    12ef6f82f9d9406329d7bbf5fc6c70d0239ef7d879f1734be19e3ed1932b4047967b1c87db0d56e9e058c9730d6776dc8cafbf0d37a0f86fc0eff4129f55f1ce

  • SSDEEP

    384:bgX4uGLLQRcsdeQ7/nQu63Ag7YmecFanrlwfjDUkKDfWf0w3sp8u5co9+slz:bgX4zYcgTEu6QOaryfjqDDw3sCu5b+s5

Score
9/10

Malware Config

Signatures

  • Detection of CryptoLocker Variants 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-01-23_3fb587284baf557e6276f27ec9901bfd_cryptolocker.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-01-23_3fb587284baf557e6276f27ec9901bfd_cryptolocker.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3772
    • C:\Users\Admin\AppData\Local\Temp\hasfj.exe
      "C:\Users\Admin\AppData\Local\Temp\hasfj.exe"
      2⤵
      • Executes dropped EXE
      PID:448

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\hasfj.exe
    Filesize

    40KB

    MD5

    6e91e72ec2b515e536265d1f1d9b53c6

    SHA1

    4fca0bce9e85efe3e8c2a7e44ab065e07d5e5173

    SHA256

    54c86173c1c45aca7cc7f06fbece45a709eac4ca8012be1d519028b00997fe25

    SHA512

    80e3a8559521b908a14d5787d036cb3ccf92515725f70ca6e44708449a972563313a389a251e6caa951ef8c73c5526d1bb7ef8f71f71311ab874bdd120c57ebf

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\hasfj.exe
    Filesize

    12KB

    MD5

    c50cad64b33e1f3c40e7feb2f8fd3c3c

    SHA1

    affe61686ff0754c24464f7912b76d99febc54b9

    SHA256

    6bc1e5570b8c8b8709f5e290e7ec01e143541197ff599321144e7d61772d8cf5

    SHA512

    03be0a28403c0d6e939ea3ca32d0d21a2c176ffbb70173b0db5c0392746fd37e3b610fe8d358de134c1dc39ae28c9fd16688c1f7d12267813ab37a4b3b251f7b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\hasfj.exe
    Filesize

    1KB

    MD5

    abebd5b6cae5bfaeb8723623884e0513

    SHA1

    5b965c635314ef06eeeae86053103f21f3aa28b1

    SHA256

    fed1e69b44ec82d8ad042b564d8b9ca9df2c4ce7ff26874d0380ea19bd486e51

    SHA512

    266272facba398f2897a7e1ba6b81ff8f451d81cd013d52521be74c8c835c60f2892c7d6843073a4c129dd5651642aed980d741e04fa8fe20c7ec8d280581c8d

    Download Submit

  • memory/448-18-0x00000000006F0000-0x00000000006F6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/448-17-0x0000000002380000-0x0000000002386000-memory.dmp

    Filesize

    24KB

    Download

  • memory/3772-1-0x0000000002EA0000-0x0000000002EA6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/3772-2-0x0000000003150000-0x0000000003156000-memory.dmp

    Filesize

    24KB

    Download

  • memory/3772-0-0x0000000002EA0000-0x0000000002EA6000-memory.dmp

    Filesize

    24KB

    Download