Overview

overview

7

Static

static

3

2024-09-11...er.exe

windows7-x64

7

2024-09-11...er.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/09/2024, 13:22

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-09-11_02a3b95f78a14b5435512af85e0d9474_cryptolocker.exe

  • Size

    42KB

  • MD5

    02a3b95f78a14b5435512af85e0d9474

  • SHA1

    a36b5e2869c6225af43fd029e2010a2674fffac6

  • SHA256

    808807b9d41f187fce53d5449b1b594692ab60eec78db0ec453551d7d8841128

  • SHA512

    3c02eb61f65be4ac1105ee001fb84f6ac6696284b6053f2735f9cd67023592ec1a02081ee725603e51f7b570100e72b806c9689e6e8a7684cb9cf13163b02d82

  • SSDEEP

    768:bA74zYcgT/Ekd0ryfjPIunqpeNswmT3HwnCD:bA6YcA/X6G0W143QE

Score
7/10
discovery

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-11_02a3b95f78a14b5435512af85e0d9474_cryptolocker.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-11_02a3b95f78a14b5435512af85e0d9474_cryptolocker.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4216
    • C:\Users\Admin\AppData\Local\Temp\hasfj.exe
      "C:\Users\Admin\AppData\Local\Temp\hasfj.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1800

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\hasfj.exe
          Filesize

          42KB

          MD5

          b6b32b3facea68d5679c6d390d035f52

          SHA1

          eb2f17e4a24ec3b2783c3fe92116bd566313c180

          SHA256

          80060b2784bbce297ffb0fdc345dd68da3cd7f87905684d12d224cfe87dc4ac0

          SHA512

          4a1d110044c1b0438cc1f29509cf53e6b8840cf567cd247fb66f3840defe71b196f86d95a3f8eeaa4da2f434d3f9d90d06c230172ec2a1578ac6f5a1ae71529a

          Download Submit

        • memory/1800-23-0x00000000005F0000-0x00000000005F6000-memory.dmp

          Filesize

          24KB

          Download

        • memory/1800-17-0x0000000002140000-0x0000000002146000-memory.dmp

          Filesize

          24KB

          Download

        • memory/4216-0-0x0000000002D60000-0x0000000002D66000-memory.dmp

          Filesize

          24KB

          Download

        • memory/4216-2-0x0000000003010000-0x0000000003016000-memory.dmp

          Filesize

          24KB

          Download

        • memory/4216-1-0x0000000002D60000-0x0000000002D66000-memory.dmp

          Filesize

          24KB

          Download