Analysis
-
max time kernel
145s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
25-01-2024 17:42
Static task
static1
Behavioral task
behavioral1
Sample
2024-01-25_0514ca31f4b88872aae91dd965370f05_cryptolocker.exe
Resource
win7-20231215-en
General
-
Target
2024-01-25_0514ca31f4b88872aae91dd965370f05_cryptolocker.exe
-
Size
31KB
-
MD5
0514ca31f4b88872aae91dd965370f05
-
SHA1
aa7dc77178500e9fcc744874403a3ed82c80d9d9
-
SHA256
8e59acc817c5bbe96dfb2d9f516ce69f92dd6d7d37e8bd36d87ed861d34acb82
-
SHA512
e620644e96fc4ef40ef56749e94094812324ad81e329aca4f9a9636e76d44e1e75638450b1d249fcb65aa5f5e349c8bbb3d44a1960ef1826a3ad3a23d2977f5a
-
SSDEEP
384:bAvMaNGh4z7CG3POOvbRSLoF/F0QU5XYFnufc/zzo6ckJp0qAMub4:bAvJCYOOvbRPDEgXRc+BA/b4
Malware Config
Signatures
-
Detection of CryptoLocker Variants 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\demka.exe CryptoLocker_rule2 -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
demka.exe2024-01-25_0514ca31f4b88872aae91dd965370f05_cryptolocker.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation demka.exe Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation 2024-01-25_0514ca31f4b88872aae91dd965370f05_cryptolocker.exe -
Executes dropped EXE 1 IoCs
Processes:
demka.exepid process 2448 demka.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
2024-01-25_0514ca31f4b88872aae91dd965370f05_cryptolocker.exedescription pid process target process PID 3300 wrote to memory of 2448 3300 2024-01-25_0514ca31f4b88872aae91dd965370f05_cryptolocker.exe demka.exe PID 3300 wrote to memory of 2448 3300 2024-01-25_0514ca31f4b88872aae91dd965370f05_cryptolocker.exe demka.exe PID 3300 wrote to memory of 2448 3300 2024-01-25_0514ca31f4b88872aae91dd965370f05_cryptolocker.exe demka.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_0514ca31f4b88872aae91dd965370f05_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-01-25_0514ca31f4b88872aae91dd965370f05_cryptolocker.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3300 -
C:\Users\Admin\AppData\Local\Temp\demka.exe"C:\Users\Admin\AppData\Local\Temp\demka.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
PID:2448
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
32KB
MD5f9e61b4477425b3f4fbbe6a6f1128de5
SHA1fc75260fb2582315ccb233a3b73fb09107731489
SHA256d461198d6b085f6b96dec124b3d7caae8010ab7d6d4c59eb852d4226a1c40ffc
SHA5126d95a865cb24533c72ecdf8fc1b2c2150edc4204f15b2e6150f3e20a98e3d2fc2930d2039b0561b83002ab917edf87772d2693576c0964207f5349e6f4ac3320