Overview

overview

10

Static

static

10

2024-02-18...er.exe

windows7-x64

9

2024-02-18...er.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/02/2024, 16:44 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-02-18_464f6ba5d919a2a13be62d99c43cbcf3_cryptolocker.exe

  • Size

    32KB

  • MD5

    464f6ba5d919a2a13be62d99c43cbcf3

  • SHA1

    b92e98b3ab85358f1545fc13b58e7e43b273fa36

  • SHA256

    3378a70f8f0d863e094cbd3389d400cf8903508bd2fd528d04b96ca1583f1082

  • SHA512

    61003056eff7d0b444b3ba5a89d90050fa5d3754656162017d74d95d106f173d940d4bb4ac3fa4df8e09e3139bc256b90c4c3e5e95af15bd6576d2b6d0d032d0

  • SSDEEP

    384:bmM0V/YPvnr801TRoUGPh4TKt6ATt1DqgPa3s/zzoCt9/B1RU3qbSFS:b7o/2n1TCraU6GD1a4Xt9bRU62FS

Score
9/10

Malware Config

Signatures

  • Detection of CryptoLocker Variants 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-02-18_464f6ba5d919a2a13be62d99c43cbcf3_cryptolocker.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-02-18_464f6ba5d919a2a13be62d99c43cbcf3_cryptolocker.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4344
    • C:\Users\Admin\AppData\Local\Temp\rewok.exe
      "C:\Users\Admin\AppData\Local\Temp\rewok.exe"
      2⤵
      • Executes dropped EXE
      PID:2032

Network

  • flag-us
    DNS
    spinistry.com
    rewok.exe
    Remote address:
    8.8.8.8:53
    Request
    spinistry.com
    IN A
    Response
    spinistry.com
    IN A
    64.98.135.121
  • flag-us
    DNS
    188.178.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    188.178.17.96.in-addr.arpa
    IN PTR
    Response
    188.178.17.96.in-addr.arpa
    IN PTR
    a96-17-178-188deploystaticakamaitechnologiescom
  • flag-us
    DNS
    241.150.49.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.150.49.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    73.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    73.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    81.171.91.138.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    81.171.91.138.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    183.59.114.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    183.59.114.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    198.187.3.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    198.187.3.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    217.135.221.88.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    217.135.221.88.in-addr.arpa
    IN PTR
    Response
    217.135.221.88.in-addr.arpa
    IN PTR
    a88-221-135-217deploystaticakamaitechnologiescom
  • flag-us
    DNS
    29.179.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    29.179.17.96.in-addr.arpa
    IN PTR
    Response
    29.179.17.96.in-addr.arpa
    IN PTR
    a96-17-179-29deploystaticakamaitechnologiescom
  • flag-us
    DNS
    19.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    19.229.111.52.in-addr.arpa
    IN PTR
    Response
  • 64.98.135.121:443
    spinistry.com
    rewok.exe
    260 B
     5
  • 64.98.135.121:443
    spinistry.com
    rewok.exe
    260 B
     5
  • 64.98.135.121:443
    spinistry.com
    rewok.exe
    260 B
     5
  • 64.98.135.121:443
    spinistry.com
    rewok.exe
    260 B
     5
  • 64.98.135.121:443
    spinistry.com
    rewok.exe
    260 B
     5
  • 64.98.135.121:443
    spinistry.com
    rewok.exe
    260 B
     5
  • 64.98.135.121:443
    spinistry.com
    rewok.exe
    260 B
     5
  • 64.98.135.121:443
    spinistry.com
    rewok.exe
    104 B
     2
  • 8.8.8.8:53
    spinistry.com
    dns
    rewok.exe
    59 B
     75 B
     1
    1

    DNS Request

    spinistry.com

    DNS Response

    64.98.135.121

  • 8.8.8.8:53
    188.178.17.96.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    188.178.17.96.in-addr.arpa

  • 8.8.8.8:53
    241.150.49.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    241.150.49.20.in-addr.arpa

  • 8.8.8.8:53
    73.159.190.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    73.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    81.171.91.138.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    81.171.91.138.in-addr.arpa

  • 8.8.8.8:53
    183.59.114.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    183.59.114.20.in-addr.arpa

  • 8.8.8.8:53
    198.187.3.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    198.187.3.20.in-addr.arpa

  • 8.8.8.8:53
    217.135.221.88.in-addr.arpa
    dns
    73 B
     139 B
     1
    1

    DNS Request

    217.135.221.88.in-addr.arpa

  • 8.8.8.8:53
    29.179.17.96.in-addr.arpa
    dns
    71 B
     135 B
     1
    1

    DNS Request

    29.179.17.96.in-addr.arpa

  • 8.8.8.8:53
    19.229.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    19.229.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\rewok.exe
    Filesize

    33KB

    MD5

    6ccd6bd7df6c893f6781ffa73b2f0da0

    SHA1

    6557de7ef5b29da20467b298b9a70f0e5737f6e4

    SHA256

    18a51e0468580c605c9fd620376a94dd92d3b3a34eb4baa26a292f9191105bc9

    SHA512

    3d400c7adef87a1053f85b8f163335f713d52bb2513b5f32995c64d773acdc5322fefa0279448ac488a26fbd924b5fbb1488c9923cbfe3a91ebbffc6e13d0e1c

    Download Submit

  • memory/2032-21-0x0000000001FA0000-0x0000000001FA6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/4344-0-0x0000000002350000-0x0000000002356000-memory.dmp

    Filesize

    24KB

    Download

  • memory/4344-1-0x0000000002350000-0x0000000002356000-memory.dmp

    Filesize

    24KB

    Download

  • memory/4344-2-0x0000000000400000-0x0000000000406000-memory.dmp

    Filesize

    24KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.