Analysis

  • max time kernel
    21s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/06/2024, 06:25

General

  • Target

    2024-06-10_c70ac706b4157167d03227532fc5a71e_cryptolocker.exe

  • Size

    31KB

  • MD5

    c70ac706b4157167d03227532fc5a71e

  • SHA1

    e24fd5b88d43fe859e515f899889d9261d1fa1c2

  • SHA256

    7f8297a5240f75cc7cdbade449f70fa495ab5355c75c2df9f1fe1dcaf57ac95a

  • SHA512

    0a9478ba7eda3c3ac8129193cfa440a347b502a2ae7c0ccce83c54bdd14128b3190b4abf77753d35fa28f375c5c55b7da30b264111b5d05ca5ec372e4e25f9ce

  • SSDEEP

    384:bAvMaNGh4z7CG3POOvbRSLoF/F0QU5XYFnufc/zzo6cJ3vdU:bAvJCYOOvbRPDEgXRcJC

Score
9/10

Malware Config

Signatures

  • Detection of CryptoLocker Variants 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-10_c70ac706b4157167d03227532fc5a71e_cryptolocker.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-10_c70ac706b4157167d03227532fc5a71e_cryptolocker.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:452
    • C:\Users\Admin\AppData\Local\Temp\demka.exe
      "C:\Users\Admin\AppData\Local\Temp\demka.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      PID:1720
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4136 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:532

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\demka.exe

            Filesize

            31KB

            MD5

            3424207893b64a11f8bcb4538a86477d

            SHA1

            e5833fdc92822500598f2a1b596cdf21a7ba9dc0

            SHA256

            1830c36acd4a2425c92b3b133bed7c3d5990d87c0f1e9bf1fde19a9bec7bdc85

            SHA512

            87918f07baebd97ab1a6d9fc75ed80a5e93535ec23155809cf6ae106ad0b87ac0eba5b6b283c80a5a0cc5d450abae8bffbb0acd3f1e866fb5eb12dfbccf06f40

          • C:\Users\Admin\AppData\Local\Temp\medkem.exe

            Filesize

            186B

            MD5

            16cdf4d2a37b9fbcb247c515277c4915

            SHA1

            51532c70c8fb7b87ec740a5241b3ccd243ec466d

            SHA256

            53b33e8fded234c01d97ba1cd36b99baa4da06237249727be1caf37bd2776d4e

            SHA512

            e3c065408fba9aa45441af570206ebbc6d7644ef7788608ee36e2919f2124e67696aa3a59f51689646b0fe0758919d9bc278b90137f21bbc2fbb9e82b57bc257

          • memory/452-0-0x0000000002EA0000-0x0000000002EA6000-memory.dmp

            Filesize

            24KB

          • memory/452-1-0x0000000002EA0000-0x0000000002EA6000-memory.dmp

            Filesize

            24KB

          • memory/452-2-0x0000000000400000-0x0000000000406000-memory.dmp

            Filesize

            24KB

          • memory/1720-25-0x00000000006F0000-0x00000000006F6000-memory.dmp

            Filesize

            24KB