Overview

overview

7

Static

static

3

2024-09-19...er.exe

windows7-x64

7

2024-09-19...er.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    96s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-09-2024 06:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-09-19_6c122948dcb0e71d6a76cec46289762b_cryptolocker.exe

  • Size

    33KB

  • MD5

    6c122948dcb0e71d6a76cec46289762b

  • SHA1

    60b7fb3fef96241e0989de95cc82365c6dc0b50c

  • SHA256

    b99aceb9f6c655cc5ca148408e9b938ab4a647a90629b3ea57cede3c33eeed32

  • SHA512

    1a528a48d7ef6f1adf1b374f4f07cca52d85151fc2802febd4bd6132feb6fe74d2c0c1942f15965dc1a3f3d01676748c75fb881ccac3653886b747e6813e593b

  • SSDEEP

    384:bAvMaNGh4z7CG3POOvbRSLoF/F0QU5XYFnufc/zzogFzpjufAq18vK:bAvJCYOOvbRPDEgXVFzpCYVvK

Score
7/10
discovery

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-19_6c122948dcb0e71d6a76cec46289762b_cryptolocker.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-19_6c122948dcb0e71d6a76cec46289762b_cryptolocker.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4876
    • C:\Users\Admin\AppData\Local\Temp\demka.exe
      "C:\Users\Admin\AppData\Local\Temp\demka.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1716

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\demka.exe
    Filesize

    33KB

    MD5

    0fbe690f6c05790b7b346dbb3aff8241

    SHA1

    1006d4c7d4ea79356af7e4d7d1e2daa19f531b8e

    SHA256

    12a4066a1822ee3c107f6d20dac2eb623fdf8b1983d55d75596758cedca0502e

    SHA512

    963a6e00495fc6bc30e3927e846549852023e45480617a8989ccd862813f6636b0f06ee68d200f2c2dc4a3bfa2b015a3e836735f63e9144d322ca9424e8594a2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\medkem.exe
    Filesize

    185B

    MD5

    856ab1fc1ac338adfe829835084918ae

    SHA1

    5256a5e7e86634edea74e90ba248b5b7b56a990e

    SHA256

    6992bdeefb810d7b9662e0b509dae8bad37ef4e9350a827000675d8f95f09343

    SHA512

    3d3434a4ae5008f8df244be6bc7175e476a10dc9789110a6603c180823ea4bf2c7dc97a3ad1337b1f912d6ced706109f6040eee029ac43f0847e485e08131cbc

    Download Submit

  • memory/1716-25-0x0000000001FF0000-0x0000000001FF6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/4876-0-0x00000000021C0000-0x00000000021C6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/4876-1-0x00000000021C0000-0x00000000021C6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/4876-2-0x0000000000400000-0x0000000000406000-memory.dmp

    Filesize

    24KB

    Download