Overview

overview

10

Static

static

10

2024-05-27...er.exe

windows7-x64

9

2024-05-27...er.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/05/2024, 13:24

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-05-27_e2552e76e03d81d5157099cf7e10706e_cryptolocker.exe

  • Size

    31KB

  • MD5

    e2552e76e03d81d5157099cf7e10706e

  • SHA1

    dafc60ed4e1478b32fd89b107a24d91fd13d8df1

  • SHA256

    0a0a5ad0d7918696a2be22cdd0a07f9f85ca95fa90d93de7342a036ae24ed162

  • SHA512

    33a6180ca3707a1978790b049b546c46c96e9912c31683cde7daa27e6d055b68d96cf9f3683541501102e32b0ecb5b3cc5bdd837c86ea93559c0a64b626cfb8c

  • SSDEEP

    384:bAvMaNGh4z7CG3POOvbRSLoF/F0QU5XYFnufc/zzo6cJ3v74:bAvJCYOOvbRPDEgXRcJs

Score
9/10

Malware Config

Signatures

  • Detection of CryptoLocker Variants 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-05-27_e2552e76e03d81d5157099cf7e10706e_cryptolocker.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-05-27_e2552e76e03d81d5157099cf7e10706e_cryptolocker.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2700
    • C:\Users\Admin\AppData\Local\Temp\demka.exe
      "C:\Users\Admin\AppData\Local\Temp\demka.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      PID:3212

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\demka.exe
          Filesize

          32KB

          MD5

          aa2f262db0debf72efe477fbff893b61

          SHA1

          15c5244023d336682af76b2ab543747d6dd6fa52

          SHA256

          5e16ddf346387a2f3ca63f63bf95e07e715b06dde344f5f876afbffde113bbe8

          SHA512

          a2394e861de2f9c233e15b945b4c1d5e093d5d1dc49eda986ab9f444aa26d90bfe794415bf055bf004ccf1d66402c4051d6eb457acd505a78ede49ce579c2a41

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\medkem.exe
          Filesize

          186B

          MD5

          cdd90adaea81c28b7d654ff8fd4562f1

          SHA1

          8be6a9b22c2d5b10491ab9908072afd239710312

          SHA256

          8e0756ae3acef6980517b5d6e310307ed9021ad62623a6826951c0ad37bf4199

          SHA512

          84c5f6e40d4e8f6aa000bfe6cde882b07068fc2c8558008f3833143a42b4d93dcb7a01d0b2b7bd1f8c1f52760822bebf22836026f64bfde150f5de4ebc85cebe

          Download Submit

        • memory/2700-0-0x0000000002EA0000-0x0000000002EA6000-memory.dmp

          Filesize

          24KB

          Download

        • memory/2700-1-0x0000000000400000-0x0000000000406000-memory.dmp

          Filesize

          24KB

          Download

        • memory/2700-8-0x0000000002EA0000-0x0000000002EA6000-memory.dmp

          Filesize

          24KB

          Download

        • memory/3212-25-0x0000000002010000-0x0000000002016000-memory.dmp

          Filesize

          24KB

          Download