Overview

overview

7

Static

static

7

2024-09-21...er.exe

windows7-x64

7

2024-09-21...er.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240910-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/09/2024, 00:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-09-21_2be96cbf40b7813ab0b01f8ea945b775_cryptolocker.exe

  • Size

    70KB

  • MD5

    2be96cbf40b7813ab0b01f8ea945b775

  • SHA1

    4cb21b732a9e971893b3b01a1e94c4b66ad40e44

  • SHA256

    9f2d21e7629f9028a4a8576a96bdf9fc0466ba73602e4c8d25a803fbe236c7c1

  • SHA512

    9be1fadd1b317f13ee47ad54394686017924a9af5f940e6b078c1e9134ca5daa674108455342b62695c1ecf8c868b886fc1aaa1ba463be9b78820f7fca7ced0b

  • SSDEEP

    1536:z6QFElP6n+gKmddpMOtEvwDpj9aYaFAeB+8x7+:z6a+CdOOtEvwDpjQc

Score
7/10
discoveryupx

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-21_2be96cbf40b7813ab0b01f8ea945b775_cryptolocker.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-21_2be96cbf40b7813ab0b01f8ea945b775_cryptolocker.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4844
    • C:\Users\Admin\AppData\Local\Temp\asih.exe
      "C:\Users\Admin\AppData\Local\Temp\asih.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1296

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\asih.exe
    Filesize

    70KB

    MD5

    7c955e70aa0a260351a0df40915fcafe

    SHA1

    b42c5723ae5c5c9add815ebea44be27823181eac

    SHA256

    22884c6502250183c82a665416dd26ba3f11c997af221ac8a29f6590c55bbc1d

    SHA512

    146d303a0430d7e364b4728fe44f037ee9fca7af23b0146179e4121dfa76232d213cc61ed34bb5289ebc449c38a02822b43ba80766310d45ee10005814721b12

    Download Submit

  • memory/1296-19-0x0000000000660000-0x0000000000666000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1296-25-0x00000000004D0000-0x00000000004D6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1296-26-0x0000000000500000-0x0000000000510000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4844-0-0x0000000000500000-0x0000000000510000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4844-1-0x0000000000520000-0x0000000000526000-memory.dmp

    Filesize

    24KB

    Download

  • memory/4844-2-0x0000000000520000-0x0000000000526000-memory.dmp

    Filesize

    24KB

    Download

  • memory/4844-3-0x0000000002070000-0x0000000002076000-memory.dmp

    Filesize

    24KB

    Download

  • memory/4844-17-0x0000000000500000-0x0000000000510000-memory.dmp

    Filesize

    64KB

    Download