6bda62b7470345608b6c21b6687fa4f30942078f8afaedf4108298f2ff4d028f

Analysis

max time kernel
137s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
31/10/2023, 15:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2023-09-07_13d10f88ceb6c6f88b66d91258cec5b4_cryptolocker_JC.exe
Size

59KB
MD5

13d10f88ceb6c6f88b66d91258cec5b4
SHA1

4202d7120cef9f4f6db6c3685ffcebf96b00af4a
SHA256

6bda62b7470345608b6c21b6687fa4f30942078f8afaedf4108298f2ff4d028f
SHA512

543e1305b51c2c7eca560b77678a53790487674d92cb27b29a6881dc20777654e652baf6c24101a7fe743789ec4480e4755aad73fde15e7013ceba1ae3da3949
SSDEEP

1536:o1KhxqwtdgI2MyzNORQtOflIwoHNV2XBFV72BOlA7ZszsbKY1x/9lfL+gniDS3:aq7tdgI2MyzNORQtOflIwoHNV2XBFV7C

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation	NEAS.2023-09-07_13d10f88ceb6c6f88b66d91258cec5b4_cryptolocker_JC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation	hurok.exe

Executes dropped EXE 1 IoCs

pid	Process
2940	hurok.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3828 wrote to memory of 2940	3828	NEAS.2023-09-07_13d10f88ceb6c6f88b66d91258cec5b4_cryptolocker_JC.exe	88
PID 3828 wrote to memory of 2940	3828	NEAS.2023-09-07_13d10f88ceb6c6f88b66d91258cec5b4_cryptolocker_JC.exe	88
PID 3828 wrote to memory of 2940	3828	NEAS.2023-09-07_13d10f88ceb6c6f88b66d91258cec5b4_cryptolocker_JC.exe	88

C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-07_13d10f88ceb6c6f88b66d91258cec5b4_cryptolocker_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-07_13d10f88ceb6c6f88b66d91258cec5b4_cryptolocker_JC.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3828
- C:\Users\Admin\AppData\Local\Temp\hurok.exe
  "C:\Users\Admin\AppData\Local\Temp\hurok.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:2940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hurok.exe

Filesize
59KB

MD5
173f093f3ff4348044c87151ffb339ae

SHA1
5169c7c44714525887698eb3e025c65e8272c84b

SHA256
d6e2fa803b1368496df87c33be9d7de7f7c051b4acea44eb0d45fad8740e14c7

SHA512
cb09b340b2689dd5ddd9488ab886ee8fdbcd3e3707881fb796cbe3ceff4c3581fe166787478f615e6edc5a99b28a6a0442ea59a9d6865cd9d4352fc75eef610a

Download Submit
C:\Users\Admin\AppData\Local\Temp\hurok.exe

Filesize
59KB

MD5
173f093f3ff4348044c87151ffb339ae

SHA1
5169c7c44714525887698eb3e025c65e8272c84b

SHA256
d6e2fa803b1368496df87c33be9d7de7f7c051b4acea44eb0d45fad8740e14c7

SHA512
cb09b340b2689dd5ddd9488ab886ee8fdbcd3e3707881fb796cbe3ceff4c3581fe166787478f615e6edc5a99b28a6a0442ea59a9d6865cd9d4352fc75eef610a

Download Submit
C:\Users\Admin\AppData\Local\Temp\hurok.exe

Filesize
59KB

MD5
173f093f3ff4348044c87151ffb339ae

SHA1
5169c7c44714525887698eb3e025c65e8272c84b

SHA256
d6e2fa803b1368496df87c33be9d7de7f7c051b4acea44eb0d45fad8740e14c7

SHA512
cb09b340b2689dd5ddd9488ab886ee8fdbcd3e3707881fb796cbe3ceff4c3581fe166787478f615e6edc5a99b28a6a0442ea59a9d6865cd9d4352fc75eef610a

Download Submit
memory/2940-20-0x00000000021B0000-0x00000000021B6000-memory.dmp

Filesize
24KB

Download
memory/3828-0-0x00000000005D0000-0x00000000005D6000-memory.dmp

Filesize
24KB

Download
memory/3828-1-0x00000000005D0000-0x00000000005D6000-memory.dmp

Filesize
24KB

Download
memory/3828-2-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download