Overview

overview

7

Static

static

5

2024-10-05...er.exe

windows7-x64

7

2024-10-05...er.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/10/2024, 09:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-10-05_751db83f978ed55a5d9f8f4698e17c73_cryptolocker.exe

  • Size

    43KB

  • MD5

    751db83f978ed55a5d9f8f4698e17c73

  • SHA1

    fee6739a4b3073a688a87d90af37781954db9ab7

  • SHA256

    7d2f5baae6ae80337bd8fbc6338dd4070170eeef69094f83dd2e7cdbc3a75f5a

  • SHA512

    8b4db1c2ce1bc77d7d15e62eea19746118ba9e0c087742bb29946357b4cb7a50fe3f032a617689ae26d4337cf6ac9f0effec06ba382ea1a0a85d05219e818912

  • SSDEEP

    768:bO74zYcgT/EkdCQgpwXFXSqQXfj0xKsmHBdZt:bO6YcA/Xk3wXFXSqAJjt

Score
7/10
discoveryupx

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-05_751db83f978ed55a5d9f8f4698e17c73_cryptolocker.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-05_751db83f978ed55a5d9f8f4698e17c73_cryptolocker.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1612
    • C:\Users\Admin\AppData\Local\Temp\hasfj.exe
      "C:\Users\Admin\AppData\Local\Temp\hasfj.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1392

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\hasfj.exe
    Filesize

    43KB

    MD5

    f76237dd65cced72a99259c3f459b724

    SHA1

    72d76c414fe4a726e4d9097d5052b35367dd5fd9

    SHA256

    df88c68649f24b2326996b6a687d010ab1367c0172f0f8e9b26da4abbb450b51

    SHA512

    d581f90ebec5b98245d40f1f36837d5281c10ce8c15f86c0c031464d83dfe3f86d9ddb7678ed08f1ef4bacb23e8d6fac483c594d59a35ccea76c5b83952b8c1f

    Download Submit

  • memory/1392-20-0x0000000003010000-0x0000000003016000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1392-19-0x00000000006F0000-0x00000000006F6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1392-26-0x0000000008000000-0x000000000800F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/1612-0-0x0000000008000000-0x000000000800F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/1612-1-0x00000000021B0000-0x00000000021B6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1612-2-0x00000000021B0000-0x00000000021B6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1612-3-0x0000000003150000-0x0000000003156000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1612-17-0x0000000008000000-0x000000000800F000-memory.dmp

    Filesize

    60KB

    Download