f9aff73f72733e71781ead4790520750bd2642112ac445eb9feda4366b1f816a

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
07/06/2024, 01:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-07_f2836e930c592116bbcfaaf30a464b62_cryptolocker.exe
Size

33KB
MD5

f2836e930c592116bbcfaaf30a464b62
SHA1

5d1c2e9f1c21faefbd257dac71b924508ac04591
SHA256

f9aff73f72733e71781ead4790520750bd2642112ac445eb9feda4366b1f816a
SHA512

9f4205b4f36edb61ebbb09a7cacc8ab14524d7510ac31377106efc944b2b3d8e41af86413f2df1808f8d9e923c5d29f92956a703f330584cdde3e8850f682a33
SSDEEP

384:bAvMaNGh4z7CG3POOvbRSLoF/F0QU5XYFnufc/zzo6cJ3v7b:bAvJCYOOvbRPDEgXRcJP

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x000b0000000122ee-10.dat	CryptoLocker_rule2

Executes dropped EXE 1 IoCs

pid	Process
632	demka.exe

Loads dropped DLL 1 IoCs

pid	Process
1148	2024-06-07_f2836e930c592116bbcfaaf30a464b62_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1148	2024-06-07_f2836e930c592116bbcfaaf30a464b62_cryptolocker.exe
632	demka.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1148 wrote to memory of 632	1148	2024-06-07_f2836e930c592116bbcfaaf30a464b62_cryptolocker.exe	28
PID 1148 wrote to memory of 632	1148	2024-06-07_f2836e930c592116bbcfaaf30a464b62_cryptolocker.exe	28
PID 1148 wrote to memory of 632	1148	2024-06-07_f2836e930c592116bbcfaaf30a464b62_cryptolocker.exe	28
PID 1148 wrote to memory of 632	1148	2024-06-07_f2836e930c592116bbcfaaf30a464b62_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-06-07_f2836e930c592116bbcfaaf30a464b62_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-07_f2836e930c592116bbcfaaf30a464b62_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1148
- C:\Users\Admin\AppData\Local\Temp\demka.exe
  "C:\Users\Admin\AppData\Local\Temp\demka.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\demka.exe

Filesize
33KB

MD5
c898756eefcd9e2e3daa9d88f37cf256

SHA1
ca4fdf44d2ce4ca772442eab26a298994b6196e8

SHA256
6e7e0030800deb29de2a25d22344ede35369dd102d5564dad9b4b8e7f03198e2

SHA512
1c51f3ecba1fba74950ae16aea7c90decfeb6dbd1bc978c8651cbe9bcb0d183a4ff599a15923413c1ae862207511cd78ac3cd9f167fcd5245ecc9f4e927b2bee

Download Submit
memory/632-16-0x00000000005B0000-0x00000000005B6000-memory.dmp

Filesize
24KB

Download
memory/1148-0-0x0000000000280000-0x0000000000286000-memory.dmp

Filesize
24KB

Download
memory/1148-1-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1148-8-0x0000000000280000-0x0000000000286000-memory.dmp

Filesize
24KB

Download