d2ea10fd008740251a6dfd342e1bc68634b7a1aa8ea6c59060af3c0c912b2058

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
21/04/2024, 14:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-21_cd1ee26f60fcdcc8b7201d64cb7c5dca_cryptolocker.exe
Size

35KB
MD5

cd1ee26f60fcdcc8b7201d64cb7c5dca
SHA1

a008c920fa7f975ff6e7b7291948a1f6e6fd8c7c
SHA256

d2ea10fd008740251a6dfd342e1bc68634b7a1aa8ea6c59060af3c0c912b2058
SHA512

194bd9cd563d3e7908b06bc861c63e933310a1d5934f8cc951dbe7c8429c4e62058e71ea4e064e50d18244d5c1416cb05fc92fc5bd1195e30e2cd8b6995c05bd
SSDEEP

384:bAvMaNGh4z7CG3POOvbRSLoF/F0QU5XYFnufc/zzo6ckJp0qAgmEzXKxA+uspNY/:bAvJCYOOvbRPDEgXRc+BAILYW

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral2/files/0x001c00000001e97e-12.dat	CryptoLocker_rule2

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	2024-04-21_cd1ee26f60fcdcc8b7201d64cb7c5dca_cryptolocker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	demka.exe

Executes dropped EXE 1 IoCs

pid	Process
1812	demka.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 816 wrote to memory of 1812	816	2024-04-21_cd1ee26f60fcdcc8b7201d64cb7c5dca_cryptolocker.exe	85
PID 816 wrote to memory of 1812	816	2024-04-21_cd1ee26f60fcdcc8b7201d64cb7c5dca_cryptolocker.exe	85
PID 816 wrote to memory of 1812	816	2024-04-21_cd1ee26f60fcdcc8b7201d64cb7c5dca_cryptolocker.exe	85

C:\Users\Admin\AppData\Local\Temp\2024-04-21_cd1ee26f60fcdcc8b7201d64cb7c5dca_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-21_cd1ee26f60fcdcc8b7201d64cb7c5dca_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:816
- C:\Users\Admin\AppData\Local\Temp\demka.exe
  "C:\Users\Admin\AppData\Local\Temp\demka.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:1812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\demka.exe

Filesize
35KB

MD5
6901c7221b96f2143ce186d67130c4a1

SHA1
657221102df3af1b09301c8a7f79361c6289d682

SHA256
585ab1aa2fcf532343ecbcf57e52c8f7e7c123e3e0d9cdd01f6ff98cea770136

SHA512
9c33e15c9e75dd27bf1c2e23a4565d3c955bc6d25b431162febeffb207bec33ee09efd3e82713e6921004c5a22e413768523cd669a97a5f5a9564a4b944d4e76

Download Submit
memory/816-0-0x0000000000720000-0x0000000000726000-memory.dmp

Filesize
24KB

Download
memory/816-1-0x0000000000720000-0x0000000000726000-memory.dmp

Filesize
24KB

Download
memory/816-2-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1812-25-0x0000000002100000-0x0000000002106000-memory.dmp

Filesize
24KB

Download