Analysis
-
max time kernel
134s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
-
submitted
25/01/2024, 20:29
General
-
Target
2024-01-25_9fc7db9a9c18ac76494e18d6b464674c_cryptolocker.exe
-
Size
37KB
-
MD5
9fc7db9a9c18ac76494e18d6b464674c
-
SHA1
6d99318862dc07eaa1fc1b0c2ac783cd0cf00762
-
SHA256
f7f7ba8f0e22ede5eef13130ced9ffb4ed3bcd2c51b33bf5a1a720ca0fb717e4
-
SHA512
49cda055c5d4285bcd4aca0e075ffd5d42b04337b702a9b2e051f9f2cec3d82899041f943dacd4750cca11151cf9d84d6d99d4ef96d9a61b63caab67fccef6f2
-
SSDEEP
384:bAvMaNGh4z7CG3POOvbRSLoF/F0QU5XYFnufc/zzoiM8Nekdvjl9V50i3Nb/mViY:bAvJCYOOvbRPDEgXrNekd7l94i3p/hQ
Malware Config
Signatures
-
Detection of CryptoLocker Variants 1 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_9fc7db9a9c18ac76494e18d6b464674c_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-01-25_9fc7db9a9c18ac76494e18d6b464674c_cryptolocker.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\demka.exe"C:\Users\Admin\AppData\Local\Temp\demka.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
38KB
MD506ec1252410833c5d24e72765869c07f
SHA10d9b98527550902ec1dcd5f2b700081a7eb338ca
SHA25613f9a345e3f69a34a771a5415d75ce75fca72076896cc80cd89f7fc3df339486
SHA51221bd0d4b23799bd07650f39c787eacd34c95e7ac4782248aa4f2a6b946785ddc5210d3a5f5e28a3399e1563c6947201a6902a1af37a94937426a22e17ef6eef2
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
24KB