Overview

overview

7

Static

static

3

2024-09-28...er.exe

windows7-x64

7

2024-09-28...er.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/09/2024, 20:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-09-28_5a8ed8771594cc35d1d6a084f7d26286_cryptolocker.exe

  • Size

    36KB

  • MD5

    5a8ed8771594cc35d1d6a084f7d26286

  • SHA1

    eb40acc053a8dcc35b02d0d4cd49a3f5b80a9a53

  • SHA256

    728f4cb1370646a310b2d2aa16286916b6bfb09415c1cc41f8cff935a7f4acee

  • SHA512

    385efb0bf8780c6aeb32eeb32ba05837ea4cc386e2b5783d4612feaa1b65749f94e4190618019776d49a2b7f01b8201d98fca98b8e0f4e6392ffe9668776e332

  • SSDEEP

    384:bgX4uGLLQRcsdeQ7/nQu63Ag7YmecFanrlwfjDUkKDfWf6XT+0vJsg5b5URa:bgX4zYcgTEu6QOaryfjqDlC6JFbKRa

Score
7/10
discovery

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-28_5a8ed8771594cc35d1d6a084f7d26286_cryptolocker.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-28_5a8ed8771594cc35d1d6a084f7d26286_cryptolocker.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4152
    • C:\Users\Admin\AppData\Local\Temp\hasfj.exe
      "C:\Users\Admin\AppData\Local\Temp\hasfj.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1596

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\hasfj.exe
    Filesize

    36KB

    MD5

    a9162624db53d4e4aa2768a650d9066b

    SHA1

    5ef484da76555e3c5e9d2c2a6d3fa8b1bb1d4cb9

    SHA256

    69528793a1e5ca4d8a2c85aad98e62ef3c1066254da5e08dfdc51e335bb26efa

    SHA512

    7cbf4192a68be660da764b2a0f102738b0d438a4001adee2ddaeb9bc10578dfbfb13597c854ccad7301daf17bfc9172d39988aa216bc144a648e55d60a43ecab

    Download Submit

  • memory/1596-18-0x0000000003010000-0x0000000003016000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1596-17-0x0000000002D60000-0x0000000002D66000-memory.dmp

    Filesize

    24KB

    Download

  • memory/4152-0-0x0000000000740000-0x0000000000746000-memory.dmp

    Filesize

    24KB

    Download

  • memory/4152-1-0x0000000000740000-0x0000000000746000-memory.dmp

    Filesize

    24KB

    Download

  • memory/4152-2-0x0000000003150000-0x0000000003156000-memory.dmp

    Filesize

    24KB

    Download