Analysis
-
max time kernel
143s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
13/02/2024, 14:29
General
-
Target
2024-02-13_384b271666e9be4ad49b863d92d40996_cryptolocker.exe
-
Size
39KB
-
MD5
384b271666e9be4ad49b863d92d40996
-
SHA1
53e67e5f6ddd159d8d07250bc825c69d6ef1cec5
-
SHA256
9d9bd946a35ff313068c334c8882493c6421dedcfb3d4d275df6f68c1a93339f
-
SHA512
345dedaf932ff1429e728efc89fc59d055d70129378579d24348cd738f198530ab8c06e0d2c488e150567e6e2a4e3b12a6805f167f7a6e995d6a243413a9db0d
-
SSDEEP
768:bAvJCYOOvbRPDEgXrNekd7l94i3py/yY/g:bAvJCF+RQgJeab4sy/lg
Malware Config
Signatures
-
Detection of CryptoLocker Variants 1 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-02-13_384b271666e9be4ad49b863d92d40996_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-02-13_384b271666e9be4ad49b863d92d40996_cryptolocker.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\demka.exe"C:\Users\Admin\AppData\Local\Temp\demka.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
39KB
MD55197e82c6cfee76e545494764911e7b8
SHA1ab484e2a0d825f5db343720830df604aef84465c
SHA2561569fe76b6bff8c3009c5aa82d8dba34986470926484a4728be0eccb429d779b
SHA512de019dc0a5b93517267ec20fc429f22272f7736621bed594e26b9fcb3e5be76a0ec70202e57e74a44fec61058646776ea946980b44fff35cc9e731afbabc5303
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
24KB