452255975335340cfef7a484cd1077397b5e47ddc9cb8c452375bc1056e36799

Analysis

max time kernel
149s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
05/01/2024, 05:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-01_3b98555520e5665314aff9604ca3d79b_cryptolocker.exe
Size

35KB
MD5

3b98555520e5665314aff9604ca3d79b
SHA1

e9b0e383ccab689b04ee7145eda20a10b56b9386
SHA256

452255975335340cfef7a484cd1077397b5e47ddc9cb8c452375bc1056e36799
SHA512

286cf2fec5467ee8968c75f5d6414a24e8ef577be3cd9191143f9c1351d78dbcacd11f40e1edb1d164489ca6ba3b0efb89b0bb038bce9b97146c8884b5a1aa55
SSDEEP

384:bAvMaNGh4z7CG3POOvbRSLoF/F0QU5XYFnufc/zzogFzpjufAq18st8qL1ZA0bg:bAvJCYOOvbRPDEgXVFzpCYVaLlk

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	2024-01-01_3b98555520e5665314aff9604ca3d79b_cryptolocker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	demka.exe

Executes dropped EXE 1 IoCs

pid	Process
4796	demka.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1528 wrote to memory of 4796	1528	2024-01-01_3b98555520e5665314aff9604ca3d79b_cryptolocker.exe	89
PID 1528 wrote to memory of 4796	1528	2024-01-01_3b98555520e5665314aff9604ca3d79b_cryptolocker.exe	89
PID 1528 wrote to memory of 4796	1528	2024-01-01_3b98555520e5665314aff9604ca3d79b_cryptolocker.exe	89

C:\Users\Admin\AppData\Local\Temp\2024-01-01_3b98555520e5665314aff9604ca3d79b_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-01_3b98555520e5665314aff9604ca3d79b_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1528
- C:\Users\Admin\AppData\Local\Temp\demka.exe
  "C:\Users\Admin\AppData\Local\Temp\demka.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:4796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\demka.exe

Filesize
35KB

MD5
d7d93841ec4d880874a30d1c7d8c7794

SHA1
a25e552991051ee581c026e004681ef1f0c77f3b

SHA256
0711ff4b6ffbe347a557b085b45aabbc968ffaf14b529f23dd4d986ab110ff78

SHA512
58ac72ddbc87e4308bb8a9cddad0b852b8a7ebb0c6ae81f2771607d91b151d5475c57b6dcaeba04b094d35fec1f05418c6188050be1d9d05746853b70eb7b977

Download Submit
C:\Users\Admin\AppData\Local\Temp\demka.exe

Filesize
21KB

MD5
980e8964d63778d9d4e0bf7364901d97

SHA1
1f0ae3072c62c5c709f6595f21c114cd4ab7fd3c

SHA256
d2a0078ebb88bd746b85591cf0a45c5f6ede80a4c8580b4ad2f4dc6667972667

SHA512
b504d0c08ee1d58138ddf6def0ec3af9577693d24cd60b562c43075c8bf80942207f294ea8f47b29d5c2e51314d378603389064bc810eb6f5ab9d12bc4eb6642

Download Submit
C:\Users\Admin\AppData\Local\Temp\demka.exe

Filesize
23KB

MD5
dca2353701434e4c322ba22512b66a1a

SHA1
2eaf77ddf1c3b895cdc8b6fa8cbbccbad007eb84

SHA256
59ac2fae343d21dd655ce0f5a5ca82b3502a46789923e6b9d9f88926aeaa334d

SHA512
1adcd4f904f29a037497cba4fe3cc50730cf71888f7a648bddb838839100e0ffedd4acae894f1ca23d360725ae8335cf1bd1513cf2841df5ccb833e8f82b6f69

Download Submit
C:\Users\Admin\AppData\Local\Temp\medkem.exe

Filesize
184B

MD5
29cd3ff41a9a66eaf4da74302673b86c

SHA1
d00d43f27c495aadfcbc16dae975e9e1970a4ec9

SHA256
50bdc4f6a644061547c01ef4d6226c04fa19004ed9614b4311fa3d51874d2da9

SHA512
ad727daa0150a91aac3b24763ae280471f972fbf26c6b01c911cf41f9402d1bf88ce142c84a1d2d892226ce4c879278b1d5a20fb58b5cb7ad87a56e5695d9b87

Download Submit
memory/1528-0-0x0000000002350000-0x0000000002356000-memory.dmp

Filesize
24KB

Download
memory/1528-1-0x0000000002350000-0x0000000002356000-memory.dmp

Filesize
24KB

Download
memory/1528-2-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/4796-23-0x0000000002120000-0x0000000002126000-memory.dmp

Filesize
24KB

Download