Analysis

  • max time kernel
    114s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-05-2024 19:28

General

  • Target

    1e7a10a68786573c5460267391a8619712b2893b582cf688fb5004b1a6211018.exe

  • Size

    34KB

  • MD5

    7e2e99bfc8cc222b9290431eec856a86

  • SHA1

    729d4b1f330a6c67e9282083b1bbff799b1198da

  • SHA256

    1e7a10a68786573c5460267391a8619712b2893b582cf688fb5004b1a6211018

  • SHA512

    fb36a7267a1e6fccc2306b7509befb94290acd2d882109fb952c398eb554d6103576ad4aa77b55eeabda99c10882e5c6dcde144f61058f79b8b8f0e79260571b

  • SSDEEP

    768:bxNQIE0eBhkL2Fo1CCwgfjOg9Arbkzos5eB:bxNrC7kYo1Fxf2rYi

Score
9/10

Malware Config

Signatures

  • Detection of CryptoLocker Variants 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1e7a10a68786573c5460267391a8619712b2893b582cf688fb5004b1a6211018.exe
    "C:\Users\Admin\AppData\Local\Temp\1e7a10a68786573c5460267391a8619712b2893b582cf688fb5004b1a6211018.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1836
    • C:\Users\Admin\AppData\Local\Temp\pissa.exe
      "C:\Users\Admin\AppData\Local\Temp\pissa.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      PID:4764
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2268 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:4972

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\pissa.exe

      Filesize

      35KB

      MD5

      2f61b55e9bdc5ad4d2054e238923f6d0

      SHA1

      48cd392c84a602a7447ae6b80f028a7ae53b958d

      SHA256

      6d58d702e2a63bcd25cbeed918bdcc2105ca7fa48adb6b391ca99e9a80fbe928

      SHA512

      cff15bad71a68d3f9084e3a4dda460da0f9b160009f135ca93669eada4959919c708cc753461f8d78172d7991f6059794a1141eb6a3a725bdca922c0e15c9ee6

    • C:\Users\Admin\AppData\Local\Temp\pissec.exe

      Filesize

      261B

      MD5

      11bed1c06d8f4680de5154405be20365

      SHA1

      9c3095f1aa0b02924c23592d1e86673bb0081ca1

      SHA256

      bcc0582f122db6e61d2aa06628275f5b882c01ca037699427d0f68e48d744666

      SHA512

      050bb38ff33ab7e8e8aa647cffb26d2b0a54074340e79f0acf0db8f076c421505f1e4c1ce169d55aeacd4085ce258a78d24327c9393650642963beb130517da8

    • memory/1836-0-0x0000000002250000-0x0000000002256000-memory.dmp

      Filesize

      24KB

    • memory/1836-1-0x0000000002250000-0x0000000002256000-memory.dmp

      Filesize

      24KB

    • memory/1836-2-0x0000000003150000-0x0000000003156000-memory.dmp

      Filesize

      24KB

    • memory/4764-23-0x00000000006F0000-0x00000000006F6000-memory.dmp

      Filesize

      24KB

    • memory/4764-17-0x0000000000770000-0x0000000000776000-memory.dmp

      Filesize

      24KB