0cef0923037188536aac04c9066ead74f5c2bf3e95e79f92c5b11d6895e14d7c

Analysis

max time kernel
1s
max time network
137s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
10/01/2024, 05:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-09_a7e519bca289a8268c89f2cdfd39df70_cryptolocker.exe
Size

34KB
MD5

a7e519bca289a8268c89f2cdfd39df70
SHA1

2f1b4ea9d9bce04939e13b359cea6e9048eedfd3
SHA256

0cef0923037188536aac04c9066ead74f5c2bf3e95e79f92c5b11d6895e14d7c
SHA512

d3c0614f1ac47410cae154ea39bc4e44b8153045451181b9cec35df59bdf2998fcc82d95d34fbc897ed21cee0022b1116364326f1d208c0d4adbd1dd063de918
SSDEEP

384:bAvMaNGh4z7CG3POOvbRSLoF/F0QU5XYFnufc/zzogFzpjufAq18st8W:bAvJCYOOvbRPDEgXVFzpCYVG

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2172	demka.exe

Loads dropped DLL 1 IoCs

pid	Process
2960	2024-01-09_a7e519bca289a8268c89f2cdfd39df70_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2960	2024-01-09_a7e519bca289a8268c89f2cdfd39df70_cryptolocker.exe
2172	demka.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2960 wrote to memory of 2172	2960	2024-01-09_a7e519bca289a8268c89f2cdfd39df70_cryptolocker.exe	15
PID 2960 wrote to memory of 2172	2960	2024-01-09_a7e519bca289a8268c89f2cdfd39df70_cryptolocker.exe	15
PID 2960 wrote to memory of 2172	2960	2024-01-09_a7e519bca289a8268c89f2cdfd39df70_cryptolocker.exe	15
PID 2960 wrote to memory of 2172	2960	2024-01-09_a7e519bca289a8268c89f2cdfd39df70_cryptolocker.exe	15

C:\Users\Admin\AppData\Local\Temp\2024-01-09_a7e519bca289a8268c89f2cdfd39df70_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-09_a7e519bca289a8268c89f2cdfd39df70_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Users\Admin\AppData\Local\Temp\demka.exe
  "C:\Users\Admin\AppData\Local\Temp\demka.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c45e3d4543d4e5b60ff4a19e1452739a

SHA1
9b5fe51c6c2b33ff8fb92e1b3a8ef3b9e1b59548

SHA256
68febe3a8eac83f09cb6726d6e71998af5cecca0009907d4cc862d9ac59c5e60

SHA512
9c9608a086fd5955ecdf99d8d40931710074e50708b0cbd3528c76fb405492dca881dbfa5939f061b61ecc46c051431e583bf8f1a6e8f9ad7571354b86c4b1f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab82A9.tmp

Filesize
1KB

MD5
1f1a3b101012e27df35286ed1cf74aa6

SHA1
46f36d1c9715589e45558bd53b721e8f7f52a888

SHA256
7f0b1fe38c7502bea9c056e7a462ab9f507dd9124f84b1d4666fb7d37cf1b83c

SHA512
d6f6787de85049d884bf8906292b0df134287cc548f9f3fadd60d44545652d55c296ed50e72687f776f0bf6b131102b4bf9b33143998cb897f21427fbc8306a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8F3A.tmp

Filesize
28KB

MD5
5c0909b237ea986e95fc1caa9700c47e

SHA1
9c257a22e9877d6016f897a37fcf0d446e5bb236

SHA256
d65ece6ef85475bef8b38dbd01072a4c9215187f7ba8752090b52543725ab61d

SHA512
89e6dd4eace1ea76348a010aab14bfda622a2c160b565a534d48a0f05c5f24aa2914f9debaa131eca80ccb13cf9004105ef55a862f206621a8203bdb0f72a108

Download Submit
C:\Users\Admin\AppData\Local\Temp\demka.exe

Filesize
9KB

MD5
e5958377bd82a0e0f5d0e524bf64eb47

SHA1
fad843ea10c97ec52714061c7b3202199d1e8d46

SHA256
03eb6a980b6128449711cb22e3704049d41c6ac8dd3ecf7d017dd1c8d6117e52

SHA512
ee720bd3f7e09efa77eed929086639398a427a897722ff53b0d58066bea11efbfa27417e3c2100da2321143c5b9374c8028984f28bbd75a0689ad37edc959f5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\demka.exe

Filesize
12KB

MD5
ec3f168671805e85e74630072f87622f

SHA1
c16c7ac39a69ba7c35982e9aa4435b22e177224b

SHA256
d0185acc26f883856e5af0f6c115721395ad597789070f09d9d89daf50cf91bb

SHA512
4408cee824747636174c2110cf85024061caab847388ba92c70ddd1249ec6d3ae5dca1c2557978494c1c820c9311a074339bf38e0c6914fe7fc2bbb8dab87b0e

Download Submit
\Users\Admin\AppData\Local\Temp\demka.exe

Filesize
34KB

MD5
ace4197408cfe6226db93d56d3e52b6d

SHA1
e91f930ec17bfcf477c6732feaa76853f791bebb

SHA256
895c1e11cc309fef74a8bc011c4ac3c41fd9213d8758ab4efe84e6e78a8145e6

SHA512
fe4eab49d28533ad55467ff3f4b6b641f112db38ac2a403275a0e2c76a8ae4844470bc8d903df2b3c87bfa80ae273d14296e01a065bba3ec74a5c720758987e1

Download Submit
memory/2960-1-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2960-8-0x0000000000270000-0x0000000000276000-memory.dmp

Filesize
24KB

Download
memory/2960-0-0x0000000000270000-0x0000000000276000-memory.dmp

Filesize
24KB

Download