b8ce6fe5ef5ef1f11abc8e279d576c135f1bbe3da7a506d1cd53f834f8ad2e61

Analysis

max time kernel
133s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 01:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-23_2a3a923b95881b33e7ad0099c0e66254_cryptolocker.exe
Size

37KB
MD5

2a3a923b95881b33e7ad0099c0e66254
SHA1

c19743ae6766328482ea94271b2f5972119a745d
SHA256

b8ce6fe5ef5ef1f11abc8e279d576c135f1bbe3da7a506d1cd53f834f8ad2e61
SHA512

7f3d600901f739f61cb6b561edce9c2d4849cd5e71c8930baccae9abbbd4c13d02af2967bfe9b283329e88a11d9f3ed5a49989e328fe27da052e04240fd69455
SSDEEP

768:bAvJCYOOvbRPDEgXrNekd7l94i3pQheDIm:bAvJCF+RQgJeab4sbD

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\demka.exe	CryptoLocker_rule2

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2024-05-23_2a3a923b95881b33e7ad0099c0e66254_cryptolocker.exedemka.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	2024-05-23_2a3a923b95881b33e7ad0099c0e66254_cryptolocker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	demka.exe

Executes dropped EXE 1 IoCs

Processes:

demka.exe

pid process

1536 demka.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1536	demka.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

2024-05-23_2a3a923b95881b33e7ad0099c0e66254_cryptolocker.exe

description	pid	process	target process
PID 1456 wrote to memory of 1536	1456	2024-05-23_2a3a923b95881b33e7ad0099c0e66254_cryptolocker.exe	demka.exe
PID 1456 wrote to memory of 1536	1456	2024-05-23_2a3a923b95881b33e7ad0099c0e66254_cryptolocker.exe	demka.exe
PID 1456 wrote to memory of 1536	1456	2024-05-23_2a3a923b95881b33e7ad0099c0e66254_cryptolocker.exe	demka.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-23_2a3a923b95881b33e7ad0099c0e66254_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-23_2a3a923b95881b33e7ad0099c0e66254_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1456

C:\Users\Admin\AppData\Local\Temp\demka.exe
"C:\Users\Admin\AppData\Local\Temp\demka.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
PID:1536

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4212,i,6593821857742176458,13646536021844995125,262144 --variations-seed-version --mojo-platform-channel-handle=4504 /prefetch:8
1⤵
PID:2132

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\demka.exe
Filesize
37KB

MD5
c295645a1c8aaf9d7586bd95555ded06

SHA1
f669e86fc2f85ad7d253491baa6b182c4f08fe2c

SHA256
8e91a6e1d1875be5aae2edea1f5bb1a0886a48c3a8aef61425807ba443c34a97

SHA512
ef705c61041ef3c3d888e02913db124ddf0452c5e92815d49853c5497d12fbb46a8639d8a9f9723f167a20eea779b659a0c7d63d6c9f745c11bb698e28dadded

Download Submit
C:\Users\Admin\AppData\Local\Temp\medkem.exe
Filesize
186B

MD5
6ff2b8673860c66344f5ea3938fbbfc3

SHA1
0ea60037416b4f7ce79a6c6d0d5f4b41ef09c7fb

SHA256
bea75e4d540c4dad263d1bfa7dfe76299496711bb91f3340a0ccad9704b52cfe

SHA512
0c011f96b5c6af5badc28e041e97dc055a2bc161db4b119127c9fbad68160a5ffb33bc779170033b49ee8c854064967aa141c51d4cdd15514868df641d6b7e7f

Download Submit
memory/1456-0-0x0000000002EA0000-0x0000000002EA6000-memory.dmp

Filesize
24KB

Download
memory/1456-2-0x0000000002EA0000-0x0000000002EA6000-memory.dmp

Filesize
24KB

Download
memory/1456-1-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1536-25-0x0000000002D60000-0x0000000002D66000-memory.dmp

Filesize
24KB

Download