Overview

overview

10

Static

static

10

2024-05-24...er.exe

windows7-x64

9

2024-05-24...er.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    131s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-05-2024 16:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-05-24_c77aed3d0e6204d50df54c4f3e12da02_cryptolocker.exe

  • Size

    32KB

  • MD5

    c77aed3d0e6204d50df54c4f3e12da02

  • SHA1

    23f7b9a76c07bd65ba221e9fc551a4ad7bb8d2c0

  • SHA256

    2140ee6e8b3ef924e58ad2ac7483ca61e1a638d1450fa29fd093766b406f7273

  • SHA512

    0ffa18a512f817dffa6eeb8a1bc957bd0aee5d8a81e27de588afb703e9ff29f651ce19c5ae79b19dbd850c66c164ba8355d692febc3183667ba1c855ec5bcd7f

  • SSDEEP

    384:bAvMaNGh4z7CG3POOvbRSLoF/F0QU5XYFnufc/zzo6cJ3v7J:bAvJCYOOvbRPDEgXRcJd

Score
9/10

Malware Config

Signatures

  • Detection of CryptoLocker Variants 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-05-24_c77aed3d0e6204d50df54c4f3e12da02_cryptolocker.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-05-24_c77aed3d0e6204d50df54c4f3e12da02_cryptolocker.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1468
    • C:\Users\Admin\AppData\Local\Temp\demka.exe
      "C:\Users\Admin\AppData\Local\Temp\demka.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      PID:1376

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\demka.exe
    Filesize

    32KB

    MD5

    69bd4c21072c3578d8a4913a487c6d6d

    SHA1

    ad878b58457d3e75deb711874a68773eb2431362

    SHA256

    19a45e99c41c79c352cee151be8f0946a7f7a67989024764bbe9238bc2698fb6

    SHA512

    2c643cf68ae925fb310a192b6198d35b209bccdc7cd46ced6c3956745bc7b687e2b5199a870a86062151397aa88ecc5ef2d02fa383816546f5311f2cd0b0fc76

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\medkem.exe
    Filesize

    186B

    MD5

    608d1067f181040d7a454bbaacf1fc58

    SHA1

    a9ad42cf50814bbcb2448ff43aac246fb80448af

    SHA256

    0de351ef0a1e13b0abe2b7a3e6de0edc77f6189cdf2e4c60a2910cc8af405e53

    SHA512

    0f316f35dd2c925c1adcfb050ce296c19a2221dc1a496a052cb048f41ccb444e234beb482cb21173d636408da4dc835b7dc746e95ad4ca8ffc965bf062eb81ac

    Download Submit

  • memory/1376-25-0x0000000002D60000-0x0000000002D66000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1468-0-0x00000000020A0000-0x00000000020A6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1468-1-0x0000000000400000-0x0000000000406000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1468-8-0x00000000020A0000-0x00000000020A6000-memory.dmp

    Filesize

    24KB

    Download