94306b84645d1bd8e776dca1c2df084f05e2cdc7d2e4c58d0c946a9560aec188

Analysis

max time kernel
145s
max time network
9s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
09/01/2024, 06:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-01-08_a4d611b3681944596d238380b2c5742e_cryptolocker.exe
Size

36KB
MD5

a4d611b3681944596d238380b2c5742e
SHA1

d3473582f4950c39f06f23719d5be2b86a54468e
SHA256

94306b84645d1bd8e776dca1c2df084f05e2cdc7d2e4c58d0c946a9560aec188
SHA512

8c2af56869267c5fc37067ed5fdae4de50aacf0ae959f3061401a1fa0686f4b9cfcc6067738e93d9628f073b378306d02589971f56af01f09e312c8ea8d0824b
SSDEEP

384:bAvMaNGh4z7CG3POOvbRSLoF/F0QU5XYFnufc/zzoiM8Nekdvjl9V50i3Nb/mVih:bAvJCYOOvbRPDEgXrNekd7l94i3p/f

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	2024-01-08_a4d611b3681944596d238380b2c5742e_cryptolocker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	demka.exe

Executes dropped EXE 1 IoCs

pid	Process
3252	demka.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5100 wrote to memory of 3252	5100	2024-01-08_a4d611b3681944596d238380b2c5742e_cryptolocker.exe	22
PID 5100 wrote to memory of 3252	5100	2024-01-08_a4d611b3681944596d238380b2c5742e_cryptolocker.exe	22
PID 5100 wrote to memory of 3252	5100	2024-01-08_a4d611b3681944596d238380b2c5742e_cryptolocker.exe	22

C:\Users\Admin\AppData\Local\Temp\2024-01-08_a4d611b3681944596d238380b2c5742e_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-08_a4d611b3681944596d238380b2c5742e_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5100
- C:\Users\Admin\AppData\Local\Temp\demka.exe
  "C:\Users\Admin\AppData\Local\Temp\demka.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:3252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\demka.exe

Filesize
7KB

MD5
92d02a312d1bda24649db31aa2703eca

SHA1
36632e34813d556026893ef05e9f08016961c7f0

SHA256
fa708a3cf97ec419eef1a5b27e07c920e227d68a973a6a954da1b0ce29e36f39

SHA512
8182ddff72320f8560d0f07ca850815b64f730bf974f9e24d965fec80c3fed01413ab8b072788cb138ee618d9fa3faf27cbcccc33c03331466abb5ba8076cd70

Download Submit
C:\Users\Admin\AppData\Local\Temp\demka.exe

Filesize
5KB

MD5
ea09a660e8c18735e35ce52a319a3e0e

SHA1
4525ee5015077cc35ac9d4b6910bed17028123b5

SHA256
ea24e98dfdd1a0f8ae0de73d76f6a677d7d66d1adffdce7bdd495f30c7747164

SHA512
2d71be090f74b61b0a21b6dcccd511524472a2af20d0955fb14e5197898262172d3dd3b457a5b5e4893725d26410aaa4d2557688104fe396d27874ec764af384

Download Submit
C:\Users\Admin\AppData\Local\Temp\demka.exe

Filesize
5KB

MD5
b74cd307cb829a8a172a5b09adc2b850

SHA1
a898025c47c7cb93c0cf4c3fb5b6ce503e5ba920

SHA256
7c30857e143652a9a905aa9e3d8fecc57eee6c889f4425cd7dce0b247d8ca1c2

SHA512
0cd1179ba3b21c5c200e0465009581a9da2185932d74deee732f1d185999b16b610e0db2d762aea789e907f8397efe43b1c2e2503e8799195a8a20f1cb25a68f

Download Submit
memory/3252-25-0x0000000002210000-0x0000000002216000-memory.dmp

Filesize
24KB

Download
memory/5100-1-0x0000000002320000-0x0000000002326000-memory.dmp

Filesize
24KB

Download
memory/5100-2-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/5100-0-0x0000000002320000-0x0000000002326000-memory.dmp

Filesize
24KB

Download