bde07b6acf3efbc1854976b5a54401efacd8ceb2a414c7b8547859e8c87fd050

Analysis

max time kernel
130s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
12/05/2024, 04:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-12_d93f10acc1f50f66fdbe0765adaa431d_cryptolocker.exe
Size

33KB
MD5

d93f10acc1f50f66fdbe0765adaa431d
SHA1

4d33c1e395c3bc431df1b3b32dec581fc0be09ac
SHA256

bde07b6acf3efbc1854976b5a54401efacd8ceb2a414c7b8547859e8c87fd050
SHA512

d60eaf61ca15732f3a51481f25d603dc7a705b03468d47b09ac1221f62deb010eb3ab523fc0d6e2fcf94004a59e10ea4e6544234e33e33a75fa46c04a1d5c429
SSDEEP

384:bAvMaNGh4z7CG3POOvbRSLoF/F0QU5XYFnufc/zzo6cJ3v7yB:bAvJCYOOvbRPDEgXRcJG

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral2/files/0x0006000000022fa8-12.dat	CryptoLocker_rule2

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	2024-05-12_d93f10acc1f50f66fdbe0765adaa431d_cryptolocker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	demka.exe

Executes dropped EXE 1 IoCs

pid	Process
2748	demka.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 2748	1688	2024-05-12_d93f10acc1f50f66fdbe0765adaa431d_cryptolocker.exe	84
PID 1688 wrote to memory of 2748	1688	2024-05-12_d93f10acc1f50f66fdbe0765adaa431d_cryptolocker.exe	84
PID 1688 wrote to memory of 2748	1688	2024-05-12_d93f10acc1f50f66fdbe0765adaa431d_cryptolocker.exe	84

C:\Users\Admin\AppData\Local\Temp\2024-05-12_d93f10acc1f50f66fdbe0765adaa431d_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-12_d93f10acc1f50f66fdbe0765adaa431d_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Users\Admin\AppData\Local\Temp\demka.exe
  "C:\Users\Admin\AppData\Local\Temp\demka.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\demka.exe

Filesize
33KB

MD5
cc30815ce62fd95d9870a2c6afb930cb

SHA1
af85301447e711fa173360b34999fb5d653f123e

SHA256
10e3258c851f0311129eba7ccbbb68c6df18508bfabec119a79cc8d07b4e46da

SHA512
2a4e05a7488d91e5a0df8e2249dcc7692d9b9703b99fe55f44b50547cc2442ba84af1381c99f6d2dc08151d01ec40a75a061ec33c5e57a1c778b2d22eed6676a

Download Submit
C:\Users\Admin\AppData\Local\Temp\medkem.exe

Filesize
186B

MD5
4d998b720d03c719ed66fcaede063329

SHA1
b611a22c241135ee1942bc2487ee56a454af11dd

SHA256
e47bb81173ffdb30e2fb3e0c62a545b387b50ec90ec727b41c46e7e977ffec89

SHA512
1aa7db76bc3af82eced613bf2710f75127bb7fc970b01c0cd8e43e5a47f1334e350abdd21789524a61c000b348062cd4731dfe5616b4ca3b36018a3a932a74f6

Download Submit
memory/1688-0-0x0000000002250000-0x0000000002256000-memory.dmp

Filesize
24KB

Download
memory/1688-1-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1688-8-0x0000000002250000-0x0000000002256000-memory.dmp

Filesize
24KB

Download
memory/2748-25-0x0000000002D60000-0x0000000002D66000-memory.dmp

Filesize
24KB

Download