54cd04bb370bb8f2aa0281e1f4efa885773dde34a761df03496e815b8e2993da

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25/05/2024, 04:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-25_a0ea666dffbe34a24ac302a234d94fca_cryptolocker.exe
Size

35KB
MD5

a0ea666dffbe34a24ac302a234d94fca
SHA1

adb678e89e5349224ac2f89b5e60636ff555c966
SHA256

54cd04bb370bb8f2aa0281e1f4efa885773dde34a761df03496e815b8e2993da
SHA512

43aee9a4edba3caca5d31cce7cb12c035b1c0a076d6c5f5377bfa15171943ab05337bf777c37c0568be2dbaca86d9853cf09f2186cb76dd2f06cbc73a63e7a80
SSDEEP

384:bAvMaNGh4z7CG3POOvbRSLoF/F0QU5XYFnufc/zzo6ckJp0qAgmEzXKxA+T9riu:bAvJCYOOvbRPDEgXRc+BAILiJiu

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral2/files/0x000a00000002341b-12.dat	CryptoLocker_rule2

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	demka.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	2024-05-25_a0ea666dffbe34a24ac302a234d94fca_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
1832	demka.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1552 wrote to memory of 1832	1552	2024-05-25_a0ea666dffbe34a24ac302a234d94fca_cryptolocker.exe	83
PID 1552 wrote to memory of 1832	1552	2024-05-25_a0ea666dffbe34a24ac302a234d94fca_cryptolocker.exe	83
PID 1552 wrote to memory of 1832	1552	2024-05-25_a0ea666dffbe34a24ac302a234d94fca_cryptolocker.exe	83

C:\Users\Admin\AppData\Local\Temp\2024-05-25_a0ea666dffbe34a24ac302a234d94fca_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-25_a0ea666dffbe34a24ac302a234d94fca_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1552
- C:\Users\Admin\AppData\Local\Temp\demka.exe
  "C:\Users\Admin\AppData\Local\Temp\demka.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:1832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\demka.exe

Filesize
35KB

MD5
f6150dbf80361fb67d2a592393d3c5c6

SHA1
9e25b9948112813b8071d76b9ab6049af05ac658

SHA256
6e3c151fda886998c6a7b807744fff71613b38620720820c8f300a4c8709676f

SHA512
1dd71e9a39d56235e0470b50e9aaefb0451f6cd40d16779c17b3ebb33a9dc4c46aadec982ef12436c0e88ed216a2917e33966d51ef434e2f0b8f6ba3e5aeaf7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\medkem.exe

Filesize
186B

MD5
ceb032d0d01966cd04d403b95e64e6e8

SHA1
5873bb8a34a16cf4bcef2f68e6aba2e08fbe5851

SHA256
6072a04f8389d903943e4b71062e527cb36660d9e42ec9152153419cfee3cde8

SHA512
7453ad3953e5e331c30cc6160400995891f3121f76eedacaeee8bfd3b06582d2bb737e775e823453b78065b4e0919d57407d5b63975e369c2cf31217e50285b3

Download Submit
memory/1552-0-0x00000000021D0000-0x00000000021D6000-memory.dmp

Filesize
24KB

Download
memory/1552-1-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1552-8-0x00000000021D0000-0x00000000021D6000-memory.dmp

Filesize
24KB

Download
memory/1832-25-0x0000000002210000-0x0000000002216000-memory.dmp

Filesize
24KB

Download