452255975335340cfef7a484cd1077397b5e47ddc9cb8c452375bc1056e36799

Analysis

max time kernel
0s
max time network
130s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
05/01/2024, 05:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-01_3b98555520e5665314aff9604ca3d79b_cryptolocker.exe
Size

35KB
MD5

3b98555520e5665314aff9604ca3d79b
SHA1

e9b0e383ccab689b04ee7145eda20a10b56b9386
SHA256

452255975335340cfef7a484cd1077397b5e47ddc9cb8c452375bc1056e36799
SHA512

286cf2fec5467ee8968c75f5d6414a24e8ef577be3cd9191143f9c1351d78dbcacd11f40e1edb1d164489ca6ba3b0efb89b0bb038bce9b97146c8884b5a1aa55
SSDEEP

384:bAvMaNGh4z7CG3POOvbRSLoF/F0QU5XYFnufc/zzogFzpjufAq18st8qL1ZA0bg:bAvJCYOOvbRPDEgXVFzpCYVaLlk

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3032	demka.exe

Loads dropped DLL 1 IoCs

pid	Process
2060	2024-01-01_3b98555520e5665314aff9604ca3d79b_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2060	2024-01-01_3b98555520e5665314aff9604ca3d79b_cryptolocker.exe
3032	demka.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 3032	2060	2024-01-01_3b98555520e5665314aff9604ca3d79b_cryptolocker.exe	16
PID 2060 wrote to memory of 3032	2060	2024-01-01_3b98555520e5665314aff9604ca3d79b_cryptolocker.exe	16
PID 2060 wrote to memory of 3032	2060	2024-01-01_3b98555520e5665314aff9604ca3d79b_cryptolocker.exe	16
PID 2060 wrote to memory of 3032	2060	2024-01-01_3b98555520e5665314aff9604ca3d79b_cryptolocker.exe	16

C:\Users\Admin\AppData\Local\Temp\2024-01-01_3b98555520e5665314aff9604ca3d79b_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-01_3b98555520e5665314aff9604ca3d79b_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Users\Admin\AppData\Local\Temp\demka.exe
  "C:\Users\Admin\AppData\Local\Temp\demka.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:3032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
1KB

MD5
1f1a3b101012e27df35286ed1cf74aa6

SHA1
46f36d1c9715589e45558bd53b721e8f7f52a888

SHA256
7f0b1fe38c7502bea9c056e7a462ab9f507dd9124f84b1d4666fb7d37cf1b83c

SHA512
d6f6787de85049d884bf8906292b0df134287cc548f9f3fadd60d44545652d55c296ed50e72687f776f0bf6b131102b4bf9b33143998cb897f21427fbc8306a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
92819019761d50f7aea01e49b442b982

SHA1
46b22a14bcfc0828a1062ffcc04927a415a404d3

SHA256
50e49304b9042655156fc95893d0f8aa6e70ba5c6227498e306990410ab0b007

SHA512
cd5ffdcfe016e083bbf56585c8c44748fa567a5b1f93499237bac0a9b54daef8ad2ba672824963ce13f5c42a86e8086ef727ced907046468c2710462e60163a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
544bcc41b94d222fc9971f7d172b3d9e

SHA1
df3f6af6b9c0cc3ff48bb4ad04488ac16da5fa64

SHA256
26d87d7b38e7f8ce45ce3ffc89ed69f02253bda5cea120b2c142958738bc4718

SHA512
99fc27a32723fbff6524481eda866a5196deca160e1edc50b2bcfc411d8d1a8b99e24f109043f1269233b42ea4405cbdfcd0b0b0336d3314d6cb829cc0ff9ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar408E.tmp

Filesize
19KB

MD5
713f92204def02daee1e6a30affdd566

SHA1
77073047d9a5d67145988ac2fbac00c4a68019e4

SHA256
f9f9fdbacbb6977969d7c0b6e5f8fbce424642611d85b7e2aab0cd37652a8c0d

SHA512
48e932f4d714c3d7f75e09f8c07c069542c1f84edfe769e1d5df50b216ba619a45a0193c3ebfdea80bc2515753b1e07f18cb3fe92082890e07677104026352e3

Download Submit
\Users\Admin\AppData\Local\Temp\demka.exe

Filesize
1KB

MD5
d083d898e8e7e08fefeb9547d6618214

SHA1
c42da7ceca24dafb85fdfb1a62bba5952e251bc0

SHA256
68ae8ab117c7dfcfa8817fbfc088e87aed032770b11f0918268ca908cf903dd4

SHA512
c830629850d5e40232d8a8bd1b98030c400bb0ef10a9c0f06de21426edf0f632e373af842acd487bae7808fbe3e9e0c81b4b3a7f0e1937ea453ba42f665c900f

Download Submit
memory/2060-2-0x0000000000290000-0x0000000000296000-memory.dmp

Filesize
24KB

Download
memory/2060-1-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2060-0-0x0000000000290000-0x0000000000296000-memory.dmp

Filesize
24KB

Download
memory/3032-23-0x00000000005C0000-0x00000000005C6000-memory.dmp

Filesize
24KB

Download