Overview

overview

7

Static

static

3

2024-09-28...er.exe

windows7-x64

7

2024-09-28...er.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/09/2024, 02:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-09-28_e437602cf158586bade33244c3dddc07_cryptolocker.exe

  • Size

    35KB

  • MD5

    e437602cf158586bade33244c3dddc07

  • SHA1

    f2b2d0a720e0fcf402c2fb9e7cdf88f24a18e23e

  • SHA256

    90e7b093d977d59acdd4d2ae22d95c575551219450a898d418d813ccbf2c409a

  • SHA512

    62200698be2f0e83b3231a91378a70683ea2e4ab4e690e6f856e500b5e6a1c15f1a316cd34c2454bd467c81dbefa4252702882b94566af770fdd67243149c495

  • SSDEEP

    768:bxNQIE0eBhkL2Fo1CCwgfjOg9Arbkzos5jmUEf:bxNrC7kYo1Fxf2rYPLEf

Score
7/10
discovery

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-28_e437602cf158586bade33244c3dddc07_cryptolocker.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-28_e437602cf158586bade33244c3dddc07_cryptolocker.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1048
    • C:\Users\Admin\AppData\Local\Temp\pissa.exe
      "C:\Users\Admin\AppData\Local\Temp\pissa.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:3588
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4276,i,10065386245627775856,6567048529106473151,262144 --variations-seed-version --mojo-platform-channel-handle=4308 /prefetch:8
    1⤵
      PID:4056

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\pissa.exe
      Filesize

      35KB

      MD5

      bf9b4c92dfdc961efbe28a9235a176a6

      SHA1

      6a9b181dfaecd8d431fc69d76a76b9ca0e53da04

      SHA256

      9ddbd58100eac75e5544ccbbb886b8847cf7d8d403d8c5d267ec43caf42c5ba4

      SHA512

      68f8b4f038f21cb5a566403cd0098463a370761e2abeabb5eb92a8a369ca9b53873e67861905ae673e6689133ab2ad482f190a3e04931081f4c8a2dcc457a63c

      Download Submit

    • memory/1048-0-0x0000000002210000-0x0000000002216000-memory.dmp

      Filesize

      24KB

      Download

    • memory/1048-1-0x0000000002210000-0x0000000002216000-memory.dmp

      Filesize

      24KB

      Download

    • memory/1048-2-0x0000000003010000-0x0000000003016000-memory.dmp

      Filesize

      24KB

      Download

    • memory/3588-17-0x00000000020D0000-0x00000000020D6000-memory.dmp

      Filesize

      24KB

      Download

    • memory/3588-23-0x0000000002010000-0x0000000002016000-memory.dmp

      Filesize

      24KB

      Download