Overview

overview

10

Static

static

10

2024-02-28...er.exe

windows7-x64

9

2024-02-28...er.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/02/2024, 10:35 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-02-28_46e8b9cbd003034ea761e5090237a7a3_cryptolocker.exe

  • Size

    36KB

  • MD5

    46e8b9cbd003034ea761e5090237a7a3

  • SHA1

    066b2f736d7bdad35fd9dbd0e6f4bdedf4ac52b8

  • SHA256

    5ffbb92a1ee1d8d4723717d78ebb42592ad7257b39a59af1aa058914bee01131

  • SHA512

    938154ecef08f267f8d4fc78d8f13d9233462cdc6c3974761ca399df89e836e6f3955173a30ecb20b0f4c2ee9261d38e9d6eeb5480d04ef0504098587923407c

  • SSDEEP

    768:bxNQIE0eBhkL2Fo1CCwgfjOg1tsJ6zeen7JE5R:bxNrC7kYo1Fxf3s065R

Score
9/10

Malware Config

Signatures

  • Detection of CryptoLocker Variants 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-02-28_46e8b9cbd003034ea761e5090237a7a3_cryptolocker.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-02-28_46e8b9cbd003034ea761e5090237a7a3_cryptolocker.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3060
    • C:\Users\Admin\AppData\Local\Temp\pissa.exe
      "C:\Users\Admin\AppData\Local\Temp\pissa.exe"
      2⤵
      • Executes dropped EXE
      PID:4048

Network

  • flag-us
    DNS
    133.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    133.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    el-padrino.com
    pissa.exe
    Remote address:
    8.8.8.8:53
    Request
    el-padrino.com
    IN A
    Response
    el-padrino.com
    IN A
    156.234.72.21
  • flag-us
    DNS
    0.205.248.87.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    0.205.248.87.in-addr.arpa
    IN PTR
    Response
    0.205.248.87.in-addr.arpa
    IN PTR
    https-87-248-205-0lgwllnwnet
  • flag-us
    DNS
    241.154.82.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.154.82.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    41.110.16.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    41.110.16.96.in-addr.arpa
    IN PTR
    Response
    41.110.16.96.in-addr.arpa
    IN PTR
    a96-16-110-41deploystaticakamaitechnologiescom
  • flag-us
    DNS
    50.23.12.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    50.23.12.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    18.31.95.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    18.31.95.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    209.178.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    209.178.17.96.in-addr.arpa
    IN PTR
    Response
    209.178.17.96.in-addr.arpa
    IN PTR
    a96-17-178-209deploystaticakamaitechnologiescom
  • flag-us
    DNS
    23.236.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    23.236.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    177.178.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    177.178.17.96.in-addr.arpa
    IN PTR
    Response
    177.178.17.96.in-addr.arpa
    IN PTR
    a96-17-178-177deploystaticakamaitechnologiescom
  • flag-us
    DNS
    12.173.189.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    12.173.189.20.in-addr.arpa
    IN PTR
    Response
  • 156.234.72.21:443
    el-padrino.com
    pissa.exe
    260 B
     200 B
     5
    5
  • 156.234.72.21:443
    el-padrino.com
    pissa.exe
    260 B
     200 B
     5
    5
  • 156.234.72.21:443
    el-padrino.com
    pissa.exe
    260 B
     200 B
     5
    5
  • 156.234.72.21:443
    el-padrino.com
    pissa.exe
    260 B
     200 B
     5
    5
  • 156.234.72.21:443
    el-padrino.com
    pissa.exe
    260 B
     160 B
     5
    4
  • 156.234.72.21:443
    el-padrino.com
    pissa.exe
    260 B
     160 B
     5
    4
  • 156.234.72.21:443
    el-padrino.com
    pissa.exe
    260 B
     200 B
     5
    5
  • 156.234.72.21:443
    el-padrino.com
    pissa.exe
    260 B
     200 B
     5
    5
  • 156.234.72.21:443
    el-padrino.com
    pissa.exe
    260 B
     200 B
     5
    5
  • 156.234.72.21:443
    el-padrino.com
    pissa.exe
    260 B
     200 B
     5
    5
  • 156.234.72.21:443
    el-padrino.com
    pissa.exe
    260 B
     160 B
     5
    4
  • 156.234.72.21:443
    el-padrino.com
    pissa.exe
    260 B
     160 B
     5
    4
  • 156.234.72.21:443
    el-padrino.com
    pissa.exe
    260 B
     200 B
     5
    5
  • 156.234.72.21:443
    el-padrino.com
    pissa.exe
    260 B
     200 B
     5
    5
  • 156.234.72.21:443
    el-padrino.com
    pissa.exe
    260 B
     200 B
     5
    5
  • 156.234.72.21:443
    el-padrino.com
    pissa.exe
    260 B
     200 B
     5
    5
  • 156.234.72.21:443
    el-padrino.com
    pissa.exe
    260 B
     200 B
     5
    5
  • 156.234.72.21:443
    el-padrino.com
    pissa.exe
    260 B
     200 B
     5
    5
  • 156.234.72.21:443
    el-padrino.com
    pissa.exe
    260 B
     160 B
     5
    4
  • 156.234.72.21:443
    el-padrino.com
    pissa.exe
    260 B
     160 B
     5
    4
  • 156.234.72.21:443
    el-padrino.com
    pissa.exe
    260 B
     200 B
     5
    5
  • 156.234.72.21:443
    el-padrino.com
    pissa.exe
    260 B
     200 B
     5
    5
  • 156.234.72.21:443
    el-padrino.com
    pissa.exe
    260 B
     200 B
     5
    5
  • 156.234.72.21:443
    el-padrino.com
    pissa.exe
    260 B
     200 B
     5
    5
  • 156.234.72.21:443
    el-padrino.com
    pissa.exe
    260 B
     200 B
     5
    5
  • 156.234.72.21:443
    el-padrino.com
    pissa.exe
    260 B
     200 B
     5
    5
  • 156.234.72.21:443
    el-padrino.com
    pissa.exe
    260 B
     120 B
     5
    3
  • 156.234.72.21:443
    el-padrino.com
    pissa.exe
    260 B
     120 B
     5
    3
  • 156.234.72.21:443
    el-padrino.com
    pissa.exe
    260 B
     200 B
     5
    5
  • 156.234.72.21:443
    el-padrino.com
    pissa.exe
    260 B
     200 B
     5
    5
  • 156.234.72.21:443
    el-padrino.com
    pissa.exe
    260 B
     200 B
     5
    5
  • 156.234.72.21:443
    el-padrino.com
    pissa.exe
    260 B
     200 B
     5
    5
  • 156.234.72.21:443
    el-padrino.com
    pissa.exe
    260 B
     200 B
     5
    5
  • 156.234.72.21:443
    el-padrino.com
    pissa.exe
    104 B
     80 B
     2
    2
  • 8.8.8.8:53
    133.32.126.40.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    133.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    el-padrino.com
    dns
    pissa.exe
    60 B
     76 B
     1
    1

    DNS Request

    el-padrino.com

    DNS Response

    156.234.72.21

  • 8.8.8.8:53
    0.205.248.87.in-addr.arpa
    dns
    71 B
     116 B
     1
    1

    DNS Request

    0.205.248.87.in-addr.arpa

  • 8.8.8.8:53
    241.154.82.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    241.154.82.20.in-addr.arpa

  • 8.8.8.8:53
    41.110.16.96.in-addr.arpa
    dns
    71 B
     135 B
     1
    1

    DNS Request

    41.110.16.96.in-addr.arpa

  • 8.8.8.8:53
    50.23.12.20.in-addr.arpa
    dns
    70 B
     156 B
     1
    1

    DNS Request

    50.23.12.20.in-addr.arpa

  • 8.8.8.8:53
    18.31.95.13.in-addr.arpa
    dns
    70 B
     144 B
     1
    1

    DNS Request

    18.31.95.13.in-addr.arpa

  • 8.8.8.8:53
    209.178.17.96.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    209.178.17.96.in-addr.arpa

  • 8.8.8.8:53
    23.236.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    23.236.111.52.in-addr.arpa

  • 8.8.8.8:53
    177.178.17.96.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    177.178.17.96.in-addr.arpa

  • 8.8.8.8:53
    12.173.189.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    12.173.189.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\pissa.exe
    Filesize

    36KB

    MD5

    0f5d48d46e2bfc6d442f466a5479d4cc

    SHA1

    a6f8732fc6c507d3f2f0960eb6578b3ff97b3451

    SHA256

    30197a802074bcd310abe89e8b018ad5bb1075458248667d0122122b3c5e7dd0

    SHA512

    7d6ec4a9c17b296539c5b2694231e535f0caedb8d6b884fd97e68ed96b99df1e1a70f8679f919c69bdc80ef7af0482cc728fe0e57688849819c3e33a6c878c1d

    Download Submit

  • memory/3060-0-0x0000000002D60000-0x0000000002D66000-memory.dmp

    Filesize

    24KB

    Download

  • memory/3060-1-0x0000000002D60000-0x0000000002D66000-memory.dmp

    Filesize

    24KB

    Download

  • memory/3060-2-0x0000000003010000-0x0000000003016000-memory.dmp

    Filesize

    24KB

    Download

  • memory/4048-21-0x0000000000780000-0x0000000000786000-memory.dmp

    Filesize

    24KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.