Overview

overview

7

Static

static

3

2024-09-19...er.exe

windows7-x64

7

2024-09-19...er.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/09/2024, 03:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-09-19_77a3fe46ed182f9a90d5568076d3cb0b_cryptolocker.exe

  • Size

    33KB

  • MD5

    77a3fe46ed182f9a90d5568076d3cb0b

  • SHA1

    f15fded303fa01ab9416a2eaec237a49c98a04f2

  • SHA256

    392a5392319e0e74680224d10180f7d8a8f3566e4095a496a34ca52775f1c021

  • SHA512

    ee75d2020124ac092c070f3338040d069143d12a0e71d53a5083c8e9237e9399eac074fd2c8a51210809c5273e84d95e186544be8ef073008be0c3f5df17b2e1

  • SSDEEP

    384:bAvMaNGh4z7CG3POOvbRSLoF/F0QU5XYFnufc/zzogFzpjufAq18vw:bAvJCYOOvbRPDEgXVFzpCYVvw

Score
7/10
discovery

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-19_77a3fe46ed182f9a90d5568076d3cb0b_cryptolocker.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-19_77a3fe46ed182f9a90d5568076d3cb0b_cryptolocker.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2240
    • C:\Users\Admin\AppData\Local\Temp\demka.exe
      "C:\Users\Admin\AppData\Local\Temp\demka.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:4492

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\demka.exe
    Filesize

    33KB

    MD5

    acf7a0905f73a97461673e38b7ad3c8c

    SHA1

    4cfbd905f1120068947bc3b762e34f8f532fa569

    SHA256

    0e019cb665ec4b25b3e1640c20abe7b8b3eefc2fc62faeff079f7cadd25de19a

    SHA512

    fbe9796598d89935184566e3f508eb15a742edd4d63503de24d72e8db1136ee3fb4889959630b1a7287223602e0a8768edbacdf983fa02fcef1e64afa7b617f6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\medkem.exe
    Filesize

    185B

    MD5

    7d0b0debf43dba17f7bcab0686c8ceba

    SHA1

    4c0e24ee3834a355844e9218becfe93785f593fa

    SHA256

    018cc08d3ff2882b53c60b1513af77c53963bb737f5426686970b3bca1bcc99a

    SHA512

    efd7a5b623913d8aef3d083ba0a53a9d4e817969d91441847b76daa6bf92b50d44b050db04f17e657a53864a4c0298321a6affca98f54214f8e6a695d0b5c6e4

    Download Submit

  • memory/2240-0-0x0000000000640000-0x0000000000646000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2240-1-0x0000000000640000-0x0000000000646000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2240-2-0x0000000000400000-0x0000000000406000-memory.dmp

    Filesize

    24KB

    Download

  • memory/4492-25-0x00000000006F0000-0x00000000006F6000-memory.dmp

    Filesize

    24KB

    Download