1e7a10a68786573c5460267391a8619712b2893b582cf688fb5004b1a6211018

Analysis

max time kernel
114s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
21-05-2024 19:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e7a10a68786573c5460267391a8619712b2893b582cf688fb5004b1a6211018.exe
Size

34KB
MD5

7e2e99bfc8cc222b9290431eec856a86
SHA1

729d4b1f330a6c67e9282083b1bbff799b1198da
SHA256

1e7a10a68786573c5460267391a8619712b2893b582cf688fb5004b1a6211018
SHA512

fb36a7267a1e6fccc2306b7509befb94290acd2d882109fb952c398eb554d6103576ad4aa77b55eeabda99c10882e5c6dcde144f61058f79b8b8f0e79260571b
SSDEEP

768:bxNQIE0eBhkL2Fo1CCwgfjOg9Arbkzos5eB:bxNrC7kYo1Fxf2rYi

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\pissa.exe	CryptoLocker_rule2

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

pissa.exe1e7a10a68786573c5460267391a8619712b2893b582cf688fb5004b1a6211018.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	pissa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	1e7a10a68786573c5460267391a8619712b2893b582cf688fb5004b1a6211018.exe

Executes dropped EXE 1 IoCs

Processes:

pissa.exe

pid process

4764 pissa.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4764	pissa.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

1e7a10a68786573c5460267391a8619712b2893b582cf688fb5004b1a6211018.exe

description	pid	process	target process
PID 1836 wrote to memory of 4764	1836	1e7a10a68786573c5460267391a8619712b2893b582cf688fb5004b1a6211018.exe	pissa.exe
PID 1836 wrote to memory of 4764	1836	1e7a10a68786573c5460267391a8619712b2893b582cf688fb5004b1a6211018.exe	pissa.exe
PID 1836 wrote to memory of 4764	1836	1e7a10a68786573c5460267391a8619712b2893b582cf688fb5004b1a6211018.exe	pissa.exe

C:\Users\Admin\AppData\Local\Temp\1e7a10a68786573c5460267391a8619712b2893b582cf688fb5004b1a6211018.exe
"C:\Users\Admin\AppData\Local\Temp\1e7a10a68786573c5460267391a8619712b2893b582cf688fb5004b1a6211018.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1836

C:\Users\Admin\AppData\Local\Temp\pissa.exe
"C:\Users\Admin\AppData\Local\Temp\pissa.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
PID:4764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2268 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:8
1⤵
PID:4972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\pissa.exe

Filesize
35KB

MD5
2f61b55e9bdc5ad4d2054e238923f6d0

SHA1
48cd392c84a602a7447ae6b80f028a7ae53b958d

SHA256
6d58d702e2a63bcd25cbeed918bdcc2105ca7fa48adb6b391ca99e9a80fbe928

SHA512
cff15bad71a68d3f9084e3a4dda460da0f9b160009f135ca93669eada4959919c708cc753461f8d78172d7991f6059794a1141eb6a3a725bdca922c0e15c9ee6

Download Submit
C:\Users\Admin\AppData\Local\Temp\pissec.exe

Filesize
261B

MD5
11bed1c06d8f4680de5154405be20365

SHA1
9c3095f1aa0b02924c23592d1e86673bb0081ca1

SHA256
bcc0582f122db6e61d2aa06628275f5b882c01ca037699427d0f68e48d744666

SHA512
050bb38ff33ab7e8e8aa647cffb26d2b0a54074340e79f0acf0db8f076c421505f1e4c1ce169d55aeacd4085ce258a78d24327c9393650642963beb130517da8

Download Submit
memory/1836-0-0x0000000002250000-0x0000000002256000-memory.dmp

Filesize
24KB

Download
memory/1836-1-0x0000000002250000-0x0000000002256000-memory.dmp

Filesize
24KB

Download
memory/1836-2-0x0000000003150000-0x0000000003156000-memory.dmp

Filesize
24KB

Download
memory/4764-23-0x00000000006F0000-0x00000000006F6000-memory.dmp

Filesize
24KB

Download
memory/4764-17-0x0000000000770000-0x0000000000776000-memory.dmp

Filesize
24KB

Download