Overview

overview

10

Static

static

10

2024-01-25...er.exe

windows7-x64

9

2024-01-25...er.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-01-2024 17:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-01-25_7a967491d20b799cab6af850c73af3be_cryptolocker.exe

  • Size

    51KB

  • MD5

    7a967491d20b799cab6af850c73af3be

  • SHA1

    325332d1fe41cb467ab9b65b89101e17eff34499

  • SHA256

    e1a013601c6b0e33e00e091d7cbf9991103359e81baee1daecb8f77f7a33b3e5

  • SHA512

    9573ead97632f2b4dd9f2e2fbe9107d1573c64592c73f1823dcbb787edc123a6a25afd4b0d9db6c7d2e36815287de4c0424252f280b5c0054b412dbdbfaf0954

  • SSDEEP

    768:bIDOw9UiaCHfjnE0Sfa7ilR0p9u6p4ICNBCXK9GZ:bIDOw9a0DwitDZzv

Score
10/10
kinsingloader

Malware Config

Signatures

  • Kinsing

    Kinsing is a loader written in Golang.

    loaderkinsing
  • Detection of CryptoLocker Variants 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-01-25_7a967491d20b799cab6af850c73af3be_cryptolocker.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-01-25_7a967491d20b799cab6af850c73af3be_cryptolocker.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3176
    • C:\Users\Admin\AppData\Local\Temp\lossy.exe
      "C:\Users\Admin\AppData\Local\Temp\lossy.exe"
      2⤵
      • Executes dropped EXE
      PID:3296

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\lossy.exe
    Filesize

    51KB

    MD5

    fff6d96feae5a88d4416b9c0c3bf1119

    SHA1

    1aa580da457a2c9f0931623a5f58c62b859d0d4d

    SHA256

    9acc9f834d4e8ec30f0d834d4ccd1fb8b3f5e6d4f6c140bed0adde8a74be1e96

    SHA512

    08f44f731bf16b99f6b64e82ef5b2ab68e468a103fb4517229198be82c61de52771816b5cf2f1ef2cab81a57f6cf38b1313f4dc58bda9bca5d80c0f36148c097

    Download Submit
  • memory/3176-0-0x0000000002180000-0x0000000002186000-memory.dmp
    Filesize

    24KB

    Download
  • memory/3176-2-0x00000000021B0000-0x00000000021B6000-memory.dmp
    Filesize

    24KB

    Download
  • memory/3176-1-0x0000000002180000-0x0000000002186000-memory.dmp
    Filesize

    24KB

    Download
  • memory/3296-17-0x0000000002030000-0x0000000002036000-memory.dmp
    Filesize

    24KB

    Download
  • memory/3296-23-0x00000000021C0000-0x00000000021C6000-memory.dmp
    Filesize

    24KB

    Download