Analysis
-
max time kernel
114s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
21-05-2024 19:28
Static task
static1
Behavioral task
behavioral1
Sample
1e7a10a68786573c5460267391a8619712b2893b582cf688fb5004b1a6211018.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1e7a10a68786573c5460267391a8619712b2893b582cf688fb5004b1a6211018.exe
Resource
win10v2004-20240226-en
General
-
Target
1e7a10a68786573c5460267391a8619712b2893b582cf688fb5004b1a6211018.exe
-
Size
34KB
-
MD5
7e2e99bfc8cc222b9290431eec856a86
-
SHA1
729d4b1f330a6c67e9282083b1bbff799b1198da
-
SHA256
1e7a10a68786573c5460267391a8619712b2893b582cf688fb5004b1a6211018
-
SHA512
fb36a7267a1e6fccc2306b7509befb94290acd2d882109fb952c398eb554d6103576ad4aa77b55eeabda99c10882e5c6dcde144f61058f79b8b8f0e79260571b
-
SSDEEP
768:bxNQIE0eBhkL2Fo1CCwgfjOg9Arbkzos5eB:bxNrC7kYo1Fxf2rYi
Malware Config
Signatures
-
Detection of CryptoLocker Variants 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\pissa.exe CryptoLocker_rule2 -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
pissa.exe1e7a10a68786573c5460267391a8619712b2893b582cf688fb5004b1a6211018.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation pissa.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 1e7a10a68786573c5460267391a8619712b2893b582cf688fb5004b1a6211018.exe -
Executes dropped EXE 1 IoCs
Processes:
pissa.exepid process 4764 pissa.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
1e7a10a68786573c5460267391a8619712b2893b582cf688fb5004b1a6211018.exedescription pid process target process PID 1836 wrote to memory of 4764 1836 1e7a10a68786573c5460267391a8619712b2893b582cf688fb5004b1a6211018.exe pissa.exe PID 1836 wrote to memory of 4764 1836 1e7a10a68786573c5460267391a8619712b2893b582cf688fb5004b1a6211018.exe pissa.exe PID 1836 wrote to memory of 4764 1836 1e7a10a68786573c5460267391a8619712b2893b582cf688fb5004b1a6211018.exe pissa.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1e7a10a68786573c5460267391a8619712b2893b582cf688fb5004b1a6211018.exe"C:\Users\Admin\AppData\Local\Temp\1e7a10a68786573c5460267391a8619712b2893b582cf688fb5004b1a6211018.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Users\Admin\AppData\Local\Temp\pissa.exe"C:\Users\Admin\AppData\Local\Temp\pissa.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
PID:4764
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2268 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:81⤵PID:4972
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
35KB
MD52f61b55e9bdc5ad4d2054e238923f6d0
SHA148cd392c84a602a7447ae6b80f028a7ae53b958d
SHA2566d58d702e2a63bcd25cbeed918bdcc2105ca7fa48adb6b391ca99e9a80fbe928
SHA512cff15bad71a68d3f9084e3a4dda460da0f9b160009f135ca93669eada4959919c708cc753461f8d78172d7991f6059794a1141eb6a3a725bdca922c0e15c9ee6
-
Filesize
261B
MD511bed1c06d8f4680de5154405be20365
SHA19c3095f1aa0b02924c23592d1e86673bb0081ca1
SHA256bcc0582f122db6e61d2aa06628275f5b882c01ca037699427d0f68e48d744666
SHA512050bb38ff33ab7e8e8aa647cffb26d2b0a54074340e79f0acf0db8f076c421505f1e4c1ce169d55aeacd4085ce258a78d24327c9393650642963beb130517da8