Overview

overview

10

Static

static

1

BlockTheSpot.bat

windows10-2004-x64

10

BlockTheSpot.bat

windows11-21h2-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    BlockTheSpot.bat

  • Size

    265B

  • Sample

    240902-ccxvgayckj

  • MD5

    d2a6bb7593c8c2c054a65c6d2167197a

  • SHA1

    721bc41054dfbdac908e11881e5c1885002a8183

  • SHA256

    8b78d1071a5c9add21685f9607f42010ef8c04fd4a789a45fe8678fde6ab1d24

  • SHA512

    48fbc3ef45ec6b1fe3fd6a6d832739308bcf84c4bd7fa83b7295e054a29dda15cc0b70d93ef43906c3c9fb4194e66eab02eb8863d2a1a5646c18d7b3a52984ca

Score
10/10
cryptolockerdiscoveryexecutionpersistenceransomware

Malware Config

Targets

    • Target

      BlockTheSpot.bat

    • Size

      265B

    • MD5

      d2a6bb7593c8c2c054a65c6d2167197a

    • SHA1

      721bc41054dfbdac908e11881e5c1885002a8183

    • SHA256

      8b78d1071a5c9add21685f9607f42010ef8c04fd4a789a45fe8678fde6ab1d24

    • SHA512

      48fbc3ef45ec6b1fe3fd6a6d832739308bcf84c4bd7fa83b7295e054a29dda15cc0b70d93ef43906c3c9fb4194e66eab02eb8863d2a1a5646c18d7b3a52984ca

    Score
    10/10
    cryptolockerdiscoveryexecutionpersistenceransomware

    • CryptoLocker

      Ransomware family with multiple variants.

      ransomwarecryptolocker

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Powershell Invoke Web Request.

      execution

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks