Overview

overview

7

Static

static

3

2024-09-21...er.exe

windows7-x64

7

2024-09-21...er.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    95s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-09-2024 20:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-09-21_b9ca86bce4701ca892fdb67b760e77ce_cryptolocker.exe

  • Size

    33KB

  • MD5

    b9ca86bce4701ca892fdb67b760e77ce

  • SHA1

    02d3cbcf68c64813d73538834ffbd4e2d45c4395

  • SHA256

    5d2077498310df9cacacf8d0933bb2958d3e31f1bcc802f66325a9eb3d65241b

  • SHA512

    0f6b56a250688519f2f585144941c7efed8bb1eb6acac0c24ead97bfce1c7275a5f5c373b25912385854687ad712408e7d66bf47769e763a7b99ad7a0b2e40b0

  • SSDEEP

    384:bAvMaNGh4z7CG3POOvbRSLoF/F0QU5XYFnufc/zzo6cJ3v7Ldb:bAvJCYOOvbRPDEgXRcJPdb

Score
7/10
discovery

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-21_b9ca86bce4701ca892fdb67b760e77ce_cryptolocker.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-21_b9ca86bce4701ca892fdb67b760e77ce_cryptolocker.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4188
    • C:\Users\Admin\AppData\Local\Temp\demka.exe
      "C:\Users\Admin\AppData\Local\Temp\demka.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1632

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\demka.exe
    Filesize

    33KB

    MD5

    0b99465b70862cc9822d8f97b44603a0

    SHA1

    5b377d5ee949d68b43dcd55059e45fdef9062a3e

    SHA256

    cde74589e476c0237017c0786ce6199bc9c0fa9071791478b6de3c01040cb306

    SHA512

    8d21a85540c5eb9f65844499853b066babd910ecf6af364e50cc7dd9a9b3b56d5060f50b53e5a4eaf5b492694987133305033e3819ab5f6e59d063bf2a5d0136

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\medkem.exe
    Filesize

    185B

    MD5

    8252873be70b23a80aa92234e73548e8

    SHA1

    331f31d7ce4da33064f7a765a4a4598a110aa396

    SHA256

    4d193ee52bdf819f8e66afd4b61e8475392068f9a89ca688aab00aef19891242

    SHA512

    45303dc397c0763abf9e3ec895bd158b3efc77c50601dc392cdad24a502a6e7631a1cf0208c559bce5e6a161538a1a1e2b72e99216ddacc2e5be7eb7ff13c9b7

    Download Submit

  • memory/1632-19-0x0000000002090000-0x0000000002096000-memory.dmp

    Filesize

    24KB

    Download

  • memory/4188-0-0x0000000002140000-0x0000000002146000-memory.dmp

    Filesize

    24KB

    Download

  • memory/4188-1-0x0000000002140000-0x0000000002146000-memory.dmp

    Filesize

    24KB

    Download

  • memory/4188-2-0x0000000000400000-0x0000000000406000-memory.dmp

    Filesize

    24KB

    Download