f407889b58ed2ef3ddc8926bd3bff16360bb4eab0a8ae871ad80b0c81adec090

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
21-05-2024 19:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-21_e43a46b41d806c076a1f7469fac561fc_cryptolocker.exe
Size

32KB
MD5

e43a46b41d806c076a1f7469fac561fc
SHA1

f32f578b7bca97d99f5c4eeb6b64b10be02dcc21
SHA256

f407889b58ed2ef3ddc8926bd3bff16360bb4eab0a8ae871ad80b0c81adec090
SHA512

e00adf84aaf5a928b9539e810f473e781d2f00e7f032454a15ed0639343b703d4b72a3def9943fdca9ef9a8dee681f842778070df6eda4bc9bb1c19692b910a9
SSDEEP

384:bAvMaNGh4z7CG3POOvbRSLoF/F0QU5XYFnufc/zzo6cJ3v75:bAvJCYOOvbRPDEgXRcJt

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\demka.exe	CryptoLocker_rule2

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2024-05-21_e43a46b41d806c076a1f7469fac561fc_cryptolocker.exedemka.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	2024-05-21_e43a46b41d806c076a1f7469fac561fc_cryptolocker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	demka.exe

Executes dropped EXE 1 IoCs

Processes:

demka.exe

pid process

2964 demka.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2964	demka.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

2024-05-21_e43a46b41d806c076a1f7469fac561fc_cryptolocker.exe

description	pid	process	target process
PID 1568 wrote to memory of 2964	1568	2024-05-21_e43a46b41d806c076a1f7469fac561fc_cryptolocker.exe	demka.exe
PID 1568 wrote to memory of 2964	1568	2024-05-21_e43a46b41d806c076a1f7469fac561fc_cryptolocker.exe	demka.exe
PID 1568 wrote to memory of 2964	1568	2024-05-21_e43a46b41d806c076a1f7469fac561fc_cryptolocker.exe	demka.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-21_e43a46b41d806c076a1f7469fac561fc_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-21_e43a46b41d806c076a1f7469fac561fc_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1568

C:\Users\Admin\AppData\Local\Temp\demka.exe
"C:\Users\Admin\AppData\Local\Temp\demka.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
PID:2964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\demka.exe

Filesize
32KB

MD5
41f672913ce70761225418e84ee0cebb

SHA1
06c190686e71328f12de6b521833aa8ae8084d18

SHA256
d3c39038b6d01bc1186ee352a75f91b0d5a27cfc57813678f1a3c205daf12b54

SHA512
c4e1de028757e554327bfd6b475ad312d20a8d46629f6af6ff3e6e5ef002ef405107ebbcfaf588fff6f8f9b34d0e1df935d60cac9e40af6c4e6c241c7b4316c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\medkem.exe

Filesize
186B

MD5
42beaee0477b999f7c8cb8d25eb9a83f

SHA1
78ca2bd4a76e809be72a9737af33cb66c3bef21d

SHA256
6c2f7fac1e6987dba88436bb5a819735bec0991e76923ce409a9baba532512a1

SHA512
5e8afc2a85f6758c89ed64fba30d83526fec86208069a6b9ebf99b1b072e6a43574e52f3aa73a2b64b2c266dc31d53d8990959dae0761e9882e1a431bf01cbb8

Download Submit
memory/1568-0-0x0000000002EA0000-0x0000000002EA6000-memory.dmp

Filesize
24KB

Download
memory/1568-1-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1568-8-0x0000000002EA0000-0x0000000002EA6000-memory.dmp

Filesize
24KB

Download
memory/2964-25-0x00000000005B0000-0x00000000005B6000-memory.dmp

Filesize
24KB

Download