Analysis
-
max time kernel
142s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
25-01-2024 17:30
General
-
Target
2024-01-25_7109e89db73dd1bc428b9fca4d98e31f_cryptolocker.exe
-
Size
64KB
-
MD5
7109e89db73dd1bc428b9fca4d98e31f
-
SHA1
7857563f8079c5ddc1fdcdc1fa09425012de59d5
-
SHA256
29dcbda7bd7b305a5365fcf7892357e43a377615106ed425e85218c5f5c51c15
-
SHA512
0394de68bd2a7559fa1b980c6e3d7e8d1232c948c83b2ddab072d86775d88d6aea18789fb3bd5c21a4543a0da76b40c1e68c4568d6f4f9fa13e6e26c037237c6
-
SSDEEP
1536:o1KhxqwtdgI2MyzNORQtOflIwoHNV2XBFV72BOlA7ZszsbKY1x/9lfL+gniDSA9J:aq7tdgI2MyzNORQtOflIwoHNV2XBFV7H
Malware Config
Signatures
-
Kinsing
Kinsing is a loader written in Golang.
-
Detection of CryptoLocker Variants 1 IoCs
-
Detection of Cryptolocker Samples 1 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_7109e89db73dd1bc428b9fca4d98e31f_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-01-25_7109e89db73dd1bc428b9fca4d98e31f_cryptolocker.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\hurok.exe"C:\Users\Admin\AppData\Local\Temp\hurok.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD54263718aef54f76304e2080537abb362
SHA11aeafd53aaf124b503c3e7d1b4c2dd09ee8e2fa8
SHA256c974e3fce0400c3e610fd39b042b7e3737b281f37ba84019ad8d6a01d10eb32b
SHA5123146d2ded272c371429e0df7d796ea145ca8adf921fd8e6ea5cd0b78f196a4fac23f40a338eb947d3b9602de2ee07097558e8f882efad2a297c53e2665d38d9d
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
24KB