Overview

overview

10

Static

static

10

2024-05-25...er.exe

windows7-x64

9

2024-05-25...er.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    131s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/05/2024, 21:54

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-05-25_67e01c0693d84f16ad1dd33ac2273bf1_cryptolocker.exe

  • Size

    37KB

  • MD5

    67e01c0693d84f16ad1dd33ac2273bf1

  • SHA1

    943b4e1e0371c682efe58c12953da824fb4b20fb

  • SHA256

    5cc1ea8f1a2913c2eddbda42c24c01f196271c03ffe093cebd123e73f7b69152

  • SHA512

    332e424368706599b152f567894129448ec87f3dbbaf1a201fe9cff76dabf1d6819169edb6b913e3b201b9e8b269e1e4c92c08e9590975b3172ddb846e648907

  • SSDEEP

    768:bAvJCYOOvbRPDEgXrNekd7l94i3pQheDh88:bAvJCF+RQgJeab4sbl

Score
9/10

Malware Config

Signatures

  • Detection of CryptoLocker Variants 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-05-25_67e01c0693d84f16ad1dd33ac2273bf1_cryptolocker.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-05-25_67e01c0693d84f16ad1dd33ac2273bf1_cryptolocker.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2876
    • C:\Users\Admin\AppData\Local\Temp\demka.exe
      "C:\Users\Admin\AppData\Local\Temp\demka.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      PID:3368

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\demka.exe
          Filesize

          38KB

          MD5

          ca009e84ffaf9acede96e2f38dee109f

          SHA1

          f935b17151028d8bf234800803e8a1e2f7af6183

          SHA256

          b1b225f703c3ac9df50d2fd734ed2fffa1aedc0aff139435dc5723b298fe58c2

          SHA512

          aed4b80ef15774917c8de0b44ee023b9941983e08b5f210385567bdd6c44e29778bf5d4a5b714f05f4cf688e5c5dfb9652e20974695e9aadd8a4b9fea3fa8b63

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\medkem.exe
          Filesize

          186B

          MD5

          c4504895809873e2b42dd078082d9443

          SHA1

          09e7300087d2714186d255659da4145531ca4c78

          SHA256

          8ff9f7a7d8f3b3f26aa78668823739aa66e1205d14f63096238ce5cf169b1ae5

          SHA512

          c21bc66f3acf5c3a9a465b2212001741869bc6b44689b10eefc8bb6645ce0e13538140bbfb92de835f666b2dba2433a5d301d8c4e3ca701673f9f4cdcd0e7561

          Download Submit

        • memory/2876-0-0x0000000002EA0000-0x0000000002EA6000-memory.dmp

          Filesize

          24KB

          Download

        • memory/2876-1-0x0000000000400000-0x0000000000406000-memory.dmp

          Filesize

          24KB

          Download

        • memory/2876-8-0x0000000002EA0000-0x0000000002EA6000-memory.dmp

          Filesize

          24KB

          Download

        • memory/3368-25-0x00000000005D0000-0x00000000005D6000-memory.dmp

          Filesize

          24KB

          Download