7aaf4629e995677890bea234acba7cc69e0050223e8c5eb8a1bc1d3c3dcb4433

Analysis

max time kernel
95s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09-09-2024 01:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-09_f1c06efded08dc54e65c51eb9c722676_cryptolocker.exe
Size

33KB
MD5

f1c06efded08dc54e65c51eb9c722676
SHA1

1a5a473bafac78fa9ecd64338e7814bd4557a848
SHA256

7aaf4629e995677890bea234acba7cc69e0050223e8c5eb8a1bc1d3c3dcb4433
SHA512

77383ca7e48796c3e13136e0af2eb3b8b14647a04ef802a2c443cfb7a204e71b69276f10626c5ada36f8faa6067eb05ee81fca0ce00a86166fcc1495052780f9
SSDEEP

384:bAvMaNGh4z7CG3POOvbRSLoF/F0QU5XYFnufc/zzo6cJ3vdoR:bAvJCYOOvbRPDEgXRcJU

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	demka.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	2024-09-09_f1c06efded08dc54e65c51eb9c722676_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
852	demka.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-09_f1c06efded08dc54e65c51eb9c722676_cryptolocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	demka.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 852	2248	2024-09-09_f1c06efded08dc54e65c51eb9c722676_cryptolocker.exe	85
PID 2248 wrote to memory of 852	2248	2024-09-09_f1c06efded08dc54e65c51eb9c722676_cryptolocker.exe	85
PID 2248 wrote to memory of 852	2248	2024-09-09_f1c06efded08dc54e65c51eb9c722676_cryptolocker.exe	85

C:\Users\Admin\AppData\Local\Temp\2024-09-09_f1c06efded08dc54e65c51eb9c722676_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-09_f1c06efded08dc54e65c51eb9c722676_cryptolocker.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Users\Admin\AppData\Local\Temp\demka.exe
  "C:\Users\Admin\AppData\Local\Temp\demka.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\demka.exe

Filesize
33KB

MD5
2d264253ad5872837050700b52bc5792

SHA1
29476991e085bd71a4fc09926ca0cb84e9805600

SHA256
9a05b1021f97f6b9db952a1807b7f412c2c1cf82230790a4a87267f18ca6e856

SHA512
ab997a29de7da4aabbe9f315f2a155d2185d28ad9b85196effda495d7e4a5b23c7b045885c8f2fbbf321c0b0a5f9c0a24f7e774f50283d6e812f6039971aa4e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\medkem.exe

Filesize
185B

MD5
5b6fe86f6ac64d82bd5cdcc18234a8cc

SHA1
d96f1fe117a169f0e1107b11728f31135a3d7a18

SHA256
02d0d888bef75f130689b1ebd4ed687d8bc0b594e94fb76ed7798727ab7d57a2

SHA512
b2743442969fda22bcdd9de4d5a2ce20f589e56e369d26196d61ee314e6420b8ffc232a429b85cca7fdb75a0f6ba11121bb3a52c99a48c231bd567ce89c68a88

Download Submit
memory/852-25-0x0000000002210000-0x0000000002216000-memory.dmp

Filesize
24KB

Download
memory/2248-0-0x0000000002250000-0x0000000002256000-memory.dmp

Filesize
24KB

Download
memory/2248-1-0x0000000002250000-0x0000000002256000-memory.dmp

Filesize
24KB

Download
memory/2248-2-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download