ef7bf8398316a833f92a416315b9e6ae5eca2cff4421b1c4fc294e72b5805204

Analysis

max time kernel
125s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09/09/2024, 03:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-09_bf57de882b97893ce0261c9d5031646e_cryptolocker.exe
Size

43KB
MD5

bf57de882b97893ce0261c9d5031646e
SHA1

499b2c12cb3dd0e2acdc751b62fa4629ae9f8557
SHA256

ef7bf8398316a833f92a416315b9e6ae5eca2cff4421b1c4fc294e72b5805204
SHA512

b4ff2749a7f58d3f77a7d639a2f3cfa55acf887e9c99a6e8484a42db0f76b063def7dd763bae4390a0c81413721206f5ceb438b6211e54fa946d5eefe73b28a2
SSDEEP

768:bAvJCYOOvbRPDEgXrNekd7l94i3py/yY/Jd:bAvJCF+RQgJeab4sy/lj

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	2024-09-09_bf57de882b97893ce0261c9d5031646e_cryptolocker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	demka.exe

Executes dropped EXE 1 IoCs

pid	Process
4840	demka.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-09_bf57de882b97893ce0261c9d5031646e_cryptolocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	demka.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1936 wrote to memory of 4840	1936	2024-09-09_bf57de882b97893ce0261c9d5031646e_cryptolocker.exe	91
PID 1936 wrote to memory of 4840	1936	2024-09-09_bf57de882b97893ce0261c9d5031646e_cryptolocker.exe	91
PID 1936 wrote to memory of 4840	1936	2024-09-09_bf57de882b97893ce0261c9d5031646e_cryptolocker.exe	91

C:\Users\Admin\AppData\Local\Temp\2024-09-09_bf57de882b97893ce0261c9d5031646e_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-09_bf57de882b97893ce0261c9d5031646e_cryptolocker.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1936
- C:\Users\Admin\AppData\Local\Temp\demka.exe
  "C:\Users\Admin\AppData\Local\Temp\demka.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4840

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=2152,i,3387628439405076340,17957358341235678872,262144 --variations-seed-version --mojo-platform-channel-handle=4248 /prefetch:8
1⤵
PID:5040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\demka.exe

Filesize
43KB

MD5
d35f1f6a6704e495fda36a4a97656390

SHA1
7bb8177917487fae556a9d33fd5153308e378257

SHA256
be7f2b472aee63f3a9079e6a22d6863403c40bce7f933111c5f79b81ffb69799

SHA512
7eebff7d09add2372eee5d85de6983387a72620c2def3201fe2d6bb60bddd347c00850980e2b0623b6d552c7c416375316125a08cbae1d9899563bb063bdf1fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\medkem.exe

Filesize
185B

MD5
5ea640d8da2c005367ee1845b5442865

SHA1
6169073ec4a7b0674db1b6028951ee8c4af7e375

SHA256
97659201842534a17c3713e2e535bffc0d11eff033c5e552038703c0b5f03f87

SHA512
161635c4b24202e86b0d348746551d9f8e46ed64b428e42fa15a1b1b2e1a6590c281a5d79751216bff751a71d0a0d993d5a3e742439604f3a2e3a011fc4214e1

Download Submit
memory/1936-0-0x00000000021D0000-0x00000000021D6000-memory.dmp

Filesize
24KB

Download
memory/1936-1-0x00000000021D0000-0x00000000021D6000-memory.dmp

Filesize
24KB

Download
memory/1936-2-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/4840-25-0x00000000020A0000-0x00000000020A6000-memory.dmp

Filesize
24KB

Download