f1d151d3ea4eb0b8d28c57df7712961237770c80966630bff1643f40a507c075

Analysis

max time kernel
130s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
03/05/2024, 15:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-05-03_e29f11c1da7402bd53880718b31bc7b3_cryptolocker.exe
Size

35KB
MD5

e29f11c1da7402bd53880718b31bc7b3
SHA1

09230b466c4f8865a0007369a64ec8ff2d9d5cf1
SHA256

f1d151d3ea4eb0b8d28c57df7712961237770c80966630bff1643f40a507c075
SHA512

01b1051b657109c62109c35fd7f8aeaa6836ceeab5cadea79a63189d1839a53ec46ca8c520b73ad7f5bbafa34239a6658f3a4b8cf71e1faa399365a48014238b
SSDEEP

384:bAvMaNGh4z7CG3POOvbRSLoF/F0QU5XYFnufc/zzo6cuM9gxrOQv:bAvJCYOOvbRPDEgXRcuM9gxiW

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral2/files/0x000c000000023b34-12.dat	CryptoLocker_rule2

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	2024-05-03_e29f11c1da7402bd53880718b31bc7b3_cryptolocker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	demka.exe

Executes dropped EXE 1 IoCs

pid	Process
4472	demka.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4052 wrote to memory of 4472	4052	2024-05-03_e29f11c1da7402bd53880718b31bc7b3_cryptolocker.exe	85
PID 4052 wrote to memory of 4472	4052	2024-05-03_e29f11c1da7402bd53880718b31bc7b3_cryptolocker.exe	85
PID 4052 wrote to memory of 4472	4052	2024-05-03_e29f11c1da7402bd53880718b31bc7b3_cryptolocker.exe	85

C:\Users\Admin\AppData\Local\Temp\2024-05-03_e29f11c1da7402bd53880718b31bc7b3_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-03_e29f11c1da7402bd53880718b31bc7b3_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4052
- C:\Users\Admin\AppData\Local\Temp\demka.exe
  "C:\Users\Admin\AppData\Local\Temp\demka.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:4472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\demka.exe

Filesize
35KB

MD5
a6e0cf4b6743dc945b6d4fc0a446b6be

SHA1
51217779b85bb5009a501ba8866f10084d7e1b23

SHA256
49c1656d5c781f6a1dfd78efff5b562dcf92c568348c2153ef8311ff3af7af69

SHA512
42703804071f9c305104dc23cb98e9245eeaddad7e69f6100132000e821f31906da5e7e83370126e4bea186359a46ca92eb537352e71a790a99a15d571557de3

Download Submit
C:\Users\Admin\AppData\Local\Temp\medkem.exe

Filesize
186B

MD5
8f3cc3d8a49936a93cd16069851e3218

SHA1
ff3b1f69db1e172d93e2d160c5dd7c8efd9d5c5a

SHA256
3fd1dc0109648fb826058477e3a3f61701222e90677aa20795aded9b40b2929e

SHA512
6dde45c78141f3f61e67b6503a933cad9683cc8941f2f1914fbc56a6edb4411d3c08ff6aed8824731bb128620cc33b77fc54a414bb8284d61f59d98d17de8029

Download Submit
memory/4052-0-0x0000000002EA0000-0x0000000002EA6000-memory.dmp

Filesize
24KB

Download
memory/4052-1-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/4052-8-0x0000000002EA0000-0x0000000002EA6000-memory.dmp

Filesize
24KB

Download