Overview

overview

10

Static

static

10

2024-05-29...er.exe

windows7-x64

9

2024-05-29...er.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-05-2024 01:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-05-29_a2e9b8c9c08c42204b16ecac24acb7f3_cryptolocker.exe

  • Size

    41KB

  • MD5

    a2e9b8c9c08c42204b16ecac24acb7f3

  • SHA1

    6261ed66ca57319374fdf926e05dbf726b43135d

  • SHA256

    6934a9ee12b9a291a5ddd539e033e7e71872fc2e67b93317ed964116464ae972

  • SHA512

    2f623b874a9c49b26bf3e64552e84269c2e24867334cfe14997bb66453c147024cd8a6bd2509073bcc98105e7aa8fd0b2370fd91ca176af5b0e40eae01647cfc

  • SSDEEP

    768:ba74zYcgT/EkdCQgpwXFXSqQXfj0xKsmoX:ba6YcA/Xk3wXFXSqAJqX

Score
9/10
upx

Malware Config

Signatures

  • Detection of CryptoLocker Variants 4 IoCs
  • UPX dump on OEP (original entry point) 4 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-05-29_a2e9b8c9c08c42204b16ecac24acb7f3_cryptolocker.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-05-29_a2e9b8c9c08c42204b16ecac24acb7f3_cryptolocker.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2040
    • C:\Users\Admin\AppData\Local\Temp\hasfj.exe
      "C:\Users\Admin\AppData\Local\Temp\hasfj.exe"
      2⤵
      • Executes dropped EXE
      PID:4080

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\hasfj.exe
    Filesize

    41KB

    MD5

    ee09a313db17a60979db62736bb00573

    SHA1

    67f6a03648322238b6b49f6f6ff4f9469f2cfd46

    SHA256

    565f4281f31a4967c24cae81b4c5f1641b17ef2e30d1e133aa3f83da9ad172e2

    SHA512

    344cf17a7d6dfa475362da6fdbfeaccd264cf3bd65100ff89614a1f5d6163d5ccc8a1d976c918d38998a4e787185918e3567d1e17118682ac65141fb59f32d48

    Download Submit

  • memory/2040-0-0x0000000008000000-0x000000000800F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/2040-1-0x0000000002D60000-0x0000000002D66000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2040-2-0x0000000003010000-0x0000000003016000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2040-9-0x0000000002D60000-0x0000000002D66000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2040-17-0x0000000008000000-0x000000000800F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/4080-25-0x0000000002160000-0x0000000002166000-memory.dmp

    Filesize

    24KB

    Download

  • memory/4080-19-0x0000000003150000-0x0000000003156000-memory.dmp

    Filesize

    24KB

    Download

  • memory/4080-26-0x0000000008000000-0x000000000800F000-memory.dmp

    Filesize

    60KB

    Download