Analysis
-
max time kernel
144s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
-
submitted
18-01-2024 23:23
General
-
Target
2024-01-18_d0149c06b30d7b759441293670700970_cryptolocker.exe
-
Size
28KB
-
MD5
d0149c06b30d7b759441293670700970
-
SHA1
8acde192194db362432709d08fb21a5c56783f67
-
SHA256
e5d70a5978c7d40ead16ecb02b87b94149a40b2355fe2f114aa75bb567bb4fea
-
SHA512
5ffac0c69c38b5da76c0c63451a45291c61d04225529eca060a7676037402e3747935dec277ebe1b5e8e5443577bb87b8102e615d029bd817c0cabd124488c5e
-
SSDEEP
384:bAvMaNGh4z7CG3POOvbRSLoF/F0QU5XYFnufc/zzo6cu7O1:bAvJCYOOvbRPDEgXRcn
Malware Config
Signatures
-
Detection of CryptoLocker Variants 1 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-01-18_d0149c06b30d7b759441293670700970_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-01-18_d0149c06b30d7b759441293670700970_cryptolocker.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\demka.exe"C:\Users\Admin\AppData\Local\Temp\demka.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
29KB
MD5d43c2dd382fa19b58c386a3b18f0779c
SHA16f4090bc0d405472a8cbb720d184a60c820eabfb
SHA256a1794bb150d2b9e0352dda4ebb8f1f51271b632d47b0590e9eccd368ab13ed2b
SHA512030bb5d193990fa1892ec849c8da669e583ba5ba6f7ef1fc56a781716e77e618afa63798e0b5bda502a92534841498d52f10b8c6b8941b34bb7ea05891f4d1d7
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
24KB