Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-01-2024 17:38

General

  • Target

    2024-01-25_d62f04daf8a916aba6fa404fe18835a5_cryptolocker.exe

  • Size

    46KB

  • MD5

    d62f04daf8a916aba6fa404fe18835a5

  • SHA1

    96580256d98de70a7e49ca5593cfea26d17da332

  • SHA256

    b0b814fc7085583a9adc41e3402e3349913ebeeccee99845dcb9391d51e5d8c3

  • SHA512

    9f0bcddfa43e3b9b8e846a5bd7b183b0c968d2b6d3d85a5c2aaad5424c556d0d924f83f785b14f9af5d1576b04879d2c2e2cc371ff9f6321619e6a696ab2c774

  • SSDEEP

    768:bgX4zYcgTEu6QOaryfjqDlC6JFbK37YbDu5z/hDd:bgGYcA/53GAA6y37nbp

Score
10/10

Malware Config

Signatures

  • Kinsing

    Kinsing is a loader written in Golang.

  • Detection of CryptoLocker Variants 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-01-25_d62f04daf8a916aba6fa404fe18835a5_cryptolocker.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d62f04daf8a916aba6fa404fe18835a5_cryptolocker.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1152
    • C:\Users\Admin\AppData\Local\Temp\hasfj.exe
      "C:\Users\Admin\AppData\Local\Temp\hasfj.exe"
      2⤵
      • Executes dropped EXE
      PID:1964

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\hasfj.exe

    Filesize

    46KB

    MD5

    f1b0a009eb2c2de6827bebdb65603b1c

    SHA1

    1dc06afe6dd238939acb24c385a8af515066be8d

    SHA256

    589e17dfcbcab9292c00eb184febcb9a2d085efc7cfa3347af9d4e8fdf3c78f9

    SHA512

    8221f4e6cd4698e13765e9288d2c31833a16b0745792793c22822a5b4100433382ca43142a18b6e30db211e50d035d5bab98e8f1235f74b2dcdc38434dd2a8cd

  • memory/1152-0-0x0000000002340000-0x0000000002346000-memory.dmp

    Filesize

    24KB

  • memory/1152-1-0x0000000002340000-0x0000000002346000-memory.dmp

    Filesize

    24KB

  • memory/1152-2-0x0000000002500000-0x0000000002506000-memory.dmp

    Filesize

    24KB

  • memory/1964-17-0x0000000002ED0000-0x0000000002ED6000-memory.dmp

    Filesize

    24KB

  • memory/1964-19-0x0000000002120000-0x0000000002126000-memory.dmp

    Filesize

    24KB