fb37454f96af107dedbd43fb2ff45186f0eb1b5edf937e2a390bf0880e89a9c1

Analysis

max time kernel
93s
max time network
113s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
24-02-2024 20:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-24_34a0ffdd9bf268945d604d164c3837a5_cryptolocker.exe
Size

32KB
MD5

34a0ffdd9bf268945d604d164c3837a5
SHA1

d848727db90909df539590bc7d1a9356fb0a7ee5
SHA256

fb37454f96af107dedbd43fb2ff45186f0eb1b5edf937e2a390bf0880e89a9c1
SHA512

bdfc37fbc619e7a68adb2f491d920c3b53d9c232f73a008077638c747c3d2cd180ae329e92d74cac4797381ce2b38eba456e14fa9e6b236b7983b6e792279a98
SSDEEP

384:bAvMaNGh4z7CG3POOvbRSLoF/F0QU5XYFnufc/zzo6cuM9gx1:bAvJCYOOvbRPDEgXRcuM9gx1

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral2/files/0x00080000000231e2-12.dat	CryptoLocker_rule2

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\Control Panel\International\Geo\Nation	2024-02-24_34a0ffdd9bf268945d604d164c3837a5_cryptolocker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\Control Panel\International\Geo\Nation	demka.exe

Executes dropped EXE 1 IoCs

pid	Process
2988	demka.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2612 wrote to memory of 2988	2612	2024-02-24_34a0ffdd9bf268945d604d164c3837a5_cryptolocker.exe	86
PID 2612 wrote to memory of 2988	2612	2024-02-24_34a0ffdd9bf268945d604d164c3837a5_cryptolocker.exe	86
PID 2612 wrote to memory of 2988	2612	2024-02-24_34a0ffdd9bf268945d604d164c3837a5_cryptolocker.exe	86

C:\Users\Admin\AppData\Local\Temp\2024-02-24_34a0ffdd9bf268945d604d164c3837a5_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-24_34a0ffdd9bf268945d604d164c3837a5_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2612
- C:\Users\Admin\AppData\Local\Temp\demka.exe
  "C:\Users\Admin\AppData\Local\Temp\demka.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:2988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\demka.exe

Filesize
32KB

MD5
7f29386f4160f62706a2b7cd46084476

SHA1
0e7177accc675f1b026460ea319b131222be9155

SHA256
007c154dbcbe48fbc2ebe24a7292e71f46654bdea059db554ed91089a8ba661f

SHA512
55a4cde57f1616310665aeed3891308ded9d921f03f76bb700da6dcd708946cd922a6efc0e237338c749a28b72dc292333f856a8c56b69cbbc52403d509228fe

Download Submit
memory/2612-0-0x0000000002E90000-0x0000000002E96000-memory.dmp

Filesize
24KB

Download
memory/2612-1-0x0000000002E90000-0x0000000002E96000-memory.dmp

Filesize
24KB

Download
memory/2612-2-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2988-25-0x0000000002D50000-0x0000000002D56000-memory.dmp

Filesize
24KB

Download