c25db3bac92e4952102ba9dc58dd2e7371f817db5e691d2eb91cbf247972d719

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09/10/2024, 19:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-10-09_dd7d810c71262a3ea9b27b368c075527_cryptolocker.exe
Size

32KB
MD5

dd7d810c71262a3ea9b27b368c075527
SHA1

45ea6179e235c444aa634134bc007a8a55f4eee4
SHA256

c25db3bac92e4952102ba9dc58dd2e7371f817db5e691d2eb91cbf247972d719
SHA512

d68239bafe5ce5a67a22cfb461b04d27f0dcd515f8323d81b15363e43fd2b8c7774dccf3cc7da195e7122d8038fd51518048a021545b2d5fb895bc0a3ba227ea
SSDEEP

384:bAvMaNGh4z7CG3POOvbRSLoF/F0QU5XYFnufc/zzo6cJ3vdod:bAvJCYOOvbRPDEgXRcJY

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	2024-10-09_dd7d810c71262a3ea9b27b368c075527_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
3216	demka.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	demka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-09_dd7d810c71262a3ea9b27b368c075527_cryptolocker.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 3216	2088	2024-10-09_dd7d810c71262a3ea9b27b368c075527_cryptolocker.exe	86
PID 2088 wrote to memory of 3216	2088	2024-10-09_dd7d810c71262a3ea9b27b368c075527_cryptolocker.exe	86
PID 2088 wrote to memory of 3216	2088	2024-10-09_dd7d810c71262a3ea9b27b368c075527_cryptolocker.exe	86

C:\Users\Admin\AppData\Local\Temp\2024-10-09_dd7d810c71262a3ea9b27b368c075527_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-09_dd7d810c71262a3ea9b27b368c075527_cryptolocker.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Users\Admin\AppData\Local\Temp\demka.exe
  "C:\Users\Admin\AppData\Local\Temp\demka.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\demka.exe

Filesize
33KB

MD5
cae06c30137e92428511a4d683677f10

SHA1
3acfd785693f6f52d6e7e5c64d3fc8a93ce674e8

SHA256
a692f4bba8d6710d2ffc1ec5f967bf41e749f26896d32ffd41b8fc542d8ea5e7

SHA512
957854093ae1063078b7367a3389ec82f52b770c38f6c30211ae4e46b676e35c3b4ee70ee01bcd7bd3bdb8aa43c0e75ba4b215c382848e423cd80d5d826b556c

Download Submit
memory/2088-0-0x0000000002350000-0x0000000002356000-memory.dmp

Filesize
24KB

Download
memory/2088-1-0x0000000002350000-0x0000000002356000-memory.dmp

Filesize
24KB

Download
memory/2088-3-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/3216-25-0x0000000002190000-0x0000000002196000-memory.dmp

Filesize
24KB

Download