e47a74e6a0f088f36ef0e9c79330232ed5a846db09980a82764bbd6152d814f4

Analysis

max time kernel
143s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2024 20:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-25_3e31c619a711911eba51b6ba5102f603_cryptolocker.exe
Size

38KB
MD5

3e31c619a711911eba51b6ba5102f603
SHA1

f4ccffb91fb693c633ec9758fe636fbcef720cfc
SHA256

e47a74e6a0f088f36ef0e9c79330232ed5a846db09980a82764bbd6152d814f4
SHA512

8dabfc136a898965654bb8686a2388a3276a069a0ccd8572e3ec9f035fb390d35a747cffcd981e6d2b79c3f70f58364bb096215035830e071036c0a317b955b1
SSDEEP

384:bAvMaNGh4z7CG3POOvbRSLoF/F0QU5XYFnufc/zzoiM8Nekdvjl9V50i3NbZM+ea:bAvJCYOOvbRPDEgXrNekd7l94i3p+Bu7

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023217-12.dat	CryptoLocker_rule2

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation	2024-01-25_3e31c619a711911eba51b6ba5102f603_cryptolocker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation	demka.exe

Executes dropped EXE 1 IoCs

pid	Process
4968	demka.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4340 wrote to memory of 4968	4340	2024-01-25_3e31c619a711911eba51b6ba5102f603_cryptolocker.exe	88
PID 4340 wrote to memory of 4968	4340	2024-01-25_3e31c619a711911eba51b6ba5102f603_cryptolocker.exe	88
PID 4340 wrote to memory of 4968	4340	2024-01-25_3e31c619a711911eba51b6ba5102f603_cryptolocker.exe	88

C:\Users\Admin\AppData\Local\Temp\2024-01-25_3e31c619a711911eba51b6ba5102f603_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-25_3e31c619a711911eba51b6ba5102f603_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4340
- C:\Users\Admin\AppData\Local\Temp\demka.exe
  "C:\Users\Admin\AppData\Local\Temp\demka.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:4968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\demka.exe

Filesize
38KB

MD5
c2526fec03c37fb912bc471f2e3f3df9

SHA1
1b76079f76f9e9ef93a271afae5db6d84d889f9c

SHA256
d948c715b7e0df2a757a7e52eb62c3d18da2cb0f104fa8b8e06f1e0c568ac85d

SHA512
62cc48c63ef839858cd98180f778b2a11ec5e6714a46d33a9ffb98424317468a7d2dec01e4a767169ae96689f83ca31d5f5e1e48a0fbe8458fbd3d968313da7d

Download Submit
memory/4340-0-0x0000000000630000-0x0000000000636000-memory.dmp

Filesize
24KB

Download
memory/4340-1-0x0000000000630000-0x0000000000636000-memory.dmp

Filesize
24KB

Download
memory/4340-2-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/4968-20-0x00000000020A0000-0x00000000020A6000-memory.dmp

Filesize
24KB

Download