Analysis
-
max time kernel
83s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
12-02-2024 19:26
Static task
static1
Behavioral task
behavioral1
Sample
2024-02-12_e2d6cf7cf4d76cdcd5fd27d999ffc6f4_cryptolocker.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
2024-02-12_e2d6cf7cf4d76cdcd5fd27d999ffc6f4_cryptolocker.exe
Resource
win10v2004-20231215-en
General
-
Target
2024-02-12_e2d6cf7cf4d76cdcd5fd27d999ffc6f4_cryptolocker.exe
-
Size
49KB
-
MD5
e2d6cf7cf4d76cdcd5fd27d999ffc6f4
-
SHA1
71364e9f4b8a2378ea94388d8eac26605af0c96b
-
SHA256
2ad24ef57891814e5fd1e200ef840127b168ba9d2f58adc76abc0cdb9273ec5a
-
SHA512
21e13798ecb227683c898f3d2d2fbcea0937364d6b7442ccd3ac310205ffb7414a351994d1bb2cc70eda454528dd948c5d0fa23f15ff0186bc80558c58b6d16f
-
SSDEEP
1536:o1KhxqwtdgI2MyzNORQtOflIwoHNV2XBFV72BOlA7ZszsbKY1xzpAI8:aq7tdgI2MyzNORQtOflIwoHNV2XBFV7v
Malware Config
Signatures
-
Detection of CryptoLocker Variants 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\hurok.exe CryptoLocker_rule2 -
Detection of Cryptolocker Samples 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\hurok.exe CryptoLocker_set1 -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2024-02-12_e2d6cf7cf4d76cdcd5fd27d999ffc6f4_cryptolocker.exehurok.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation 2024-02-12_e2d6cf7cf4d76cdcd5fd27d999ffc6f4_cryptolocker.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation hurok.exe -
Executes dropped EXE 1 IoCs
Processes:
hurok.exepid process 4172 hurok.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
2024-02-12_e2d6cf7cf4d76cdcd5fd27d999ffc6f4_cryptolocker.exedescription pid process target process PID 1232 wrote to memory of 4172 1232 2024-02-12_e2d6cf7cf4d76cdcd5fd27d999ffc6f4_cryptolocker.exe hurok.exe PID 1232 wrote to memory of 4172 1232 2024-02-12_e2d6cf7cf4d76cdcd5fd27d999ffc6f4_cryptolocker.exe hurok.exe PID 1232 wrote to memory of 4172 1232 2024-02-12_e2d6cf7cf4d76cdcd5fd27d999ffc6f4_cryptolocker.exe hurok.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-02-12_e2d6cf7cf4d76cdcd5fd27d999ffc6f4_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-02-12_e2d6cf7cf4d76cdcd5fd27d999ffc6f4_cryptolocker.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1232 -
C:\Users\Admin\AppData\Local\Temp\hurok.exe"C:\Users\Admin\AppData\Local\Temp\hurok.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
PID:4172
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
49KB
MD5b6e6e79a530d0e01ad19059e5cc2ca00
SHA1942b46b14b106c3529bcb92c1834ad84ffc7d484
SHA256e6010ed05bc03f3c130594984614e453817512bc00e1c67e1029b97f33592947
SHA512c03d3d53abed4b05e39a66c7ba63b75b293af490f9caef9bbd34bc46996f1f56b1323144f516ef8cccfeb9d7b60be8f6c57d2bbfb48b453a93ff71585babc92b
-
Filesize
1KB
MD580233886531badd948cc965c948d3828
SHA163a081363eb6a200ed731ae49e9de8c96ba6b79f
SHA256bae99dee83b075e165a613dfeca6b9688024770c5d956075f353ceb1166b8981
SHA51249f74644836ef4e5b6b8afdec479ee8d6d1dc77aa1f3ad9c3d9d6a1b72528b6991c163ba5c107c1e904f3633661cae305923f3f468f6eff22c5fe3bf76466844