Analysis
-
max time kernel
103s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20250619-en -
resource tags
arch:x64arch:x86image:win10v2004-20250619-enlocale:en-usos:windows10-2004-x64system -
submitted
03/07/2025, 05:54
Static task
static1
Behavioral task
behavioral1
Sample
2025-07-03_7c961e3be1becd62603e8549a5820609_cryptolocker_elex.exe
Resource
win10v2004-20250619-en
General
-
Target
2025-07-03_7c961e3be1becd62603e8549a5820609_cryptolocker_elex.exe
-
Size
54KB
-
MD5
7c961e3be1becd62603e8549a5820609
-
SHA1
bd25a113fc9f210fbf676ca7e9024e12be9b7e25
-
SHA256
dd0f3640a35cd329c37badd3ba6e4f00697c127f9e917205e5f9aa57e3aa2dca
-
SHA512
8123770079b66ae8e66c61a19ac2b82287650c99aac35701a4a21266692cf8f02b015e3101812d864f0d03a25668b23357210ee2a0b83b85ff29704782b1dc0e
-
SSDEEP
768:bdvJCYOOvbRPDTHgX0fZF+FYFAEF9wZGrwC/gFzpCYVx:bdvJCF+RXgKigACKGB/oFCSx
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1567862796-3850854820-1319363977-1000\Control Panel\International\Geo\Nation 2025-07-03_7c961e3be1becd62603e8549a5820609_cryptolocker_elex.exe Key value queried \REGISTRY\USER\S-1-5-21-1567862796-3850854820-1319363977-1000\Control Panel\International\Geo\Nation demka.exe -
Executes dropped EXE 1 IoCs
pid Process 4316 demka.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-03_7c961e3be1becd62603e8549a5820609_cryptolocker_elex.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language demka.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 5272 wrote to memory of 4316 5272 2025-07-03_7c961e3be1becd62603e8549a5820609_cryptolocker_elex.exe 88 PID 5272 wrote to memory of 4316 5272 2025-07-03_7c961e3be1becd62603e8549a5820609_cryptolocker_elex.exe 88 PID 5272 wrote to memory of 4316 5272 2025-07-03_7c961e3be1becd62603e8549a5820609_cryptolocker_elex.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-07-03_7c961e3be1becd62603e8549a5820609_cryptolocker_elex.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-03_7c961e3be1becd62603e8549a5820609_cryptolocker_elex.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5272 -
C:\Users\Admin\AppData\Local\Temp\demka.exe"C:\Users\Admin\AppData\Local\Temp\demka.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4316
-
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
54KB
MD58aaad8cde0513c78c45b1ba74b5a411c
SHA1895dd6a623932bfd3d5c73c06c064ccd07301c1d
SHA25622e8afa9cc44a1a616b462359f2b7a49267e8669468369380f93c11e7c2e3855
SHA512e59b6faf3fa58056e42ddd4c96c46488e7269a9bcd35ba878c89cff92f6132710a69719061e346e816c154fd8061427d9f6d366509614811250454c8b6dbbb09