Analysis
-
max time kernel
133s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 01:23
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-23_2a3a923b95881b33e7ad0099c0e66254_cryptolocker.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-05-23_2a3a923b95881b33e7ad0099c0e66254_cryptolocker.exe
Resource
win10v2004-20240508-en
General
-
Target
2024-05-23_2a3a923b95881b33e7ad0099c0e66254_cryptolocker.exe
-
Size
37KB
-
MD5
2a3a923b95881b33e7ad0099c0e66254
-
SHA1
c19743ae6766328482ea94271b2f5972119a745d
-
SHA256
b8ce6fe5ef5ef1f11abc8e279d576c135f1bbe3da7a506d1cd53f834f8ad2e61
-
SHA512
7f3d600901f739f61cb6b561edce9c2d4849cd5e71c8930baccae9abbbd4c13d02af2967bfe9b283329e88a11d9f3ed5a49989e328fe27da052e04240fd69455
-
SSDEEP
768:bAvJCYOOvbRPDEgXrNekd7l94i3pQheDIm:bAvJCF+RQgJeab4sbD
Malware Config
Signatures
-
Detection of CryptoLocker Variants 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\demka.exe CryptoLocker_rule2 -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2024-05-23_2a3a923b95881b33e7ad0099c0e66254_cryptolocker.exedemka.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation 2024-05-23_2a3a923b95881b33e7ad0099c0e66254_cryptolocker.exe Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation demka.exe -
Executes dropped EXE 1 IoCs
Processes:
demka.exepid process 1536 demka.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
2024-05-23_2a3a923b95881b33e7ad0099c0e66254_cryptolocker.exedescription pid process target process PID 1456 wrote to memory of 1536 1456 2024-05-23_2a3a923b95881b33e7ad0099c0e66254_cryptolocker.exe demka.exe PID 1456 wrote to memory of 1536 1456 2024-05-23_2a3a923b95881b33e7ad0099c0e66254_cryptolocker.exe demka.exe PID 1456 wrote to memory of 1536 1456 2024-05-23_2a3a923b95881b33e7ad0099c0e66254_cryptolocker.exe demka.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-23_2a3a923b95881b33e7ad0099c0e66254_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-23_2a3a923b95881b33e7ad0099c0e66254_cryptolocker.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\demka.exe"C:\Users\Admin\AppData\Local\Temp\demka.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4212,i,6593821857742176458,13646536021844995125,262144 --variations-seed-version --mojo-platform-channel-handle=4504 /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\demka.exeFilesize
37KB
MD5c295645a1c8aaf9d7586bd95555ded06
SHA1f669e86fc2f85ad7d253491baa6b182c4f08fe2c
SHA2568e91a6e1d1875be5aae2edea1f5bb1a0886a48c3a8aef61425807ba443c34a97
SHA512ef705c61041ef3c3d888e02913db124ddf0452c5e92815d49853c5497d12fbb46a8639d8a9f9723f167a20eea779b659a0c7d63d6c9f745c11bb698e28dadded
-
C:\Users\Admin\AppData\Local\Temp\medkem.exeFilesize
186B
MD56ff2b8673860c66344f5ea3938fbbfc3
SHA10ea60037416b4f7ce79a6c6d0d5f4b41ef09c7fb
SHA256bea75e4d540c4dad263d1bfa7dfe76299496711bb91f3340a0ccad9704b52cfe
SHA5120c011f96b5c6af5badc28e041e97dc055a2bc161db4b119127c9fbad68160a5ffb33bc779170033b49ee8c854064967aa141c51d4cdd15514868df641d6b7e7f
-
memory/1456-0-0x0000000002EA0000-0x0000000002EA6000-memory.dmpFilesize
24KB
-
memory/1456-2-0x0000000002EA0000-0x0000000002EA6000-memory.dmpFilesize
24KB
-
memory/1456-1-0x0000000000400000-0x0000000000406000-memory.dmpFilesize
24KB
-
memory/1536-25-0x0000000002D60000-0x0000000002D66000-memory.dmpFilesize
24KB