Overview

overview

7

Static

static

3

2025-03-21...er.exe

windows7-x64

7

2025-03-21...er.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    104s
  • max time network
    112s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/03/2025, 08:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-03-21_ba5062b17ea3a5951e74f391b53ab701_cryptolocker.exe

  • Size

    56KB

  • MD5

    ba5062b17ea3a5951e74f391b53ab701

  • SHA1

    13e94711f5c89a1c9f8b4b1ec6137135d9b5eb30

  • SHA256

    d279c8abdd6ef7774c6b2b831f11b403c2dacde6b9e3cb4b0569ac25fb1fd3f8

  • SHA512

    9c9dd7f7bbc05508e86b1cb32785b3ee3d1382559f3f8307a61d3ca0c54853108c09dca724741b667cce0a9d1f5412c7549241a6968065c65bfb327b805f52f0

  • SSDEEP

    768:bdvJCYOOvbRPDTHgX0fZF+FYFAEF9wZGrwC/gFzpCYV3:bdvJCF+RXgKigACKGB/oFCS3

Score
7/10
discovery

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-03-21_ba5062b17ea3a5951e74f391b53ab701_cryptolocker.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-03-21_ba5062b17ea3a5951e74f391b53ab701_cryptolocker.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1836
    • C:\Users\Admin\AppData\Local\Temp\demka.exe
      "C:\Users\Admin\AppData\Local\Temp\demka.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:4048

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\demka.exe
    Filesize

    56KB

    MD5

    834d5c22d6a9a22d7f0438f5f2c9c3e3

    SHA1

    eb80d38d0455ee7c1086dba37e7998b6fe06133e

    SHA256

    92244a8cfdb11ba9edc40d75fcc8b51c29dee9b1ddf914c71b7e6afd2de2c713

    SHA512

    b78a481d467cd972ae01abb7de994dc4eba32888ff36e3e5aaab9b5517318d949039870807be31dc4cb1bde753784d4fd12478999d481d3d4cebc1162df0190c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\medkem.exe
    Filesize

    186B

    MD5

    9954fb677395878aacde10006b3714fc

    SHA1

    44216ad635100da897812a7094a49547a61b952a

    SHA256

    ab3f420b9f619a6776f645bee4e6ae0e831d634c72cda6775f322561a105efe2

    SHA512

    7bc2e0f1eaf760534113c420bd547166aec27107edad0931c23c039d894906223ff797796f14a531fa02a729efc122834b39974dda9ef6410bec64db5c13a21c

    Download Submit

  • memory/1836-0-0x00000000022B0000-0x00000000022B6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1836-1-0x00000000022B0000-0x00000000022B6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1836-2-0x0000000000400000-0x0000000000406000-memory.dmp

    Filesize

    24KB

    Download

  • memory/4048-25-0x0000000002170000-0x0000000002176000-memory.dmp

    Filesize

    24KB

    Download