Analysis

  • max time kernel
    121s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    10/06/2024, 06:25

General

  • Target

    2024-06-10_c70ac706b4157167d03227532fc5a71e_cryptolocker.exe

  • Size

    31KB

  • MD5

    c70ac706b4157167d03227532fc5a71e

  • SHA1

    e24fd5b88d43fe859e515f899889d9261d1fa1c2

  • SHA256

    7f8297a5240f75cc7cdbade449f70fa495ab5355c75c2df9f1fe1dcaf57ac95a

  • SHA512

    0a9478ba7eda3c3ac8129193cfa440a347b502a2ae7c0ccce83c54bdd14128b3190b4abf77753d35fa28f375c5c55b7da30b264111b5d05ca5ec372e4e25f9ce

  • SSDEEP

    384:bAvMaNGh4z7CG3POOvbRSLoF/F0QU5XYFnufc/zzo6cJ3vdU:bAvJCYOOvbRPDEgXRcJC

Score
9/10

Malware Config

Signatures

  • Detection of CryptoLocker Variants 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies system certificate store 2 TTPs 2 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-10_c70ac706b4157167d03227532fc5a71e_cryptolocker.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-10_c70ac706b4157167d03227532fc5a71e_cryptolocker.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:2916
    • C:\Users\Admin\AppData\Local\Temp\demka.exe
      "C:\Users\Admin\AppData\Local\Temp\demka.exe"
      2⤵
      • Executes dropped EXE
      • Modifies system certificate store
      • Suspicious use of UnmapMainImage
      PID:2532

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • \Users\Admin\AppData\Local\Temp\demka.exe

          Filesize

          31KB

          MD5

          3424207893b64a11f8bcb4538a86477d

          SHA1

          e5833fdc92822500598f2a1b596cdf21a7ba9dc0

          SHA256

          1830c36acd4a2425c92b3b133bed7c3d5990d87c0f1e9bf1fde19a9bec7bdc85

          SHA512

          87918f07baebd97ab1a6d9fc75ed80a5e93535ec23155809cf6ae106ad0b87ac0eba5b6b283c80a5a0cc5d450abae8bffbb0acd3f1e866fb5eb12dfbccf06f40

        • memory/2916-1-0x0000000000400000-0x0000000000406000-memory.dmp

          Filesize

          24KB

        • memory/2916-0-0x0000000000380000-0x0000000000386000-memory.dmp

          Filesize

          24KB

        • memory/2916-8-0x0000000000380000-0x0000000000386000-memory.dmp

          Filesize

          24KB