2ad24ef57891814e5fd1e200ef840127b168ba9d2f58adc76abc0cdb9273ec5a

Analysis

max time kernel
83s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12-02-2024 19:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-12_e2d6cf7cf4d76cdcd5fd27d999ffc6f4_cryptolocker.exe
Size

49KB
MD5

e2d6cf7cf4d76cdcd5fd27d999ffc6f4
SHA1

71364e9f4b8a2378ea94388d8eac26605af0c96b
SHA256

2ad24ef57891814e5fd1e200ef840127b168ba9d2f58adc76abc0cdb9273ec5a
SHA512

21e13798ecb227683c898f3d2d2fbcea0937364d6b7442ccd3ac310205ffb7414a351994d1bb2cc70eda454528dd948c5d0fa23f15ff0186bc80558c58b6d16f
SSDEEP

1536:o1KhxqwtdgI2MyzNORQtOflIwoHNV2XBFV72BOlA7ZszsbKY1xzpAI8:aq7tdgI2MyzNORQtOflIwoHNV2XBFV7v

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\hurok.exe	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\hurok.exe	CryptoLocker_set1

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2024-02-12_e2d6cf7cf4d76cdcd5fd27d999ffc6f4_cryptolocker.exehurok.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	2024-02-12_e2d6cf7cf4d76cdcd5fd27d999ffc6f4_cryptolocker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	hurok.exe

Executes dropped EXE 1 IoCs

Processes:

hurok.exe

pid process

4172 hurok.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4172	hurok.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

2024-02-12_e2d6cf7cf4d76cdcd5fd27d999ffc6f4_cryptolocker.exe

description	pid	process	target process
PID 1232 wrote to memory of 4172	1232	2024-02-12_e2d6cf7cf4d76cdcd5fd27d999ffc6f4_cryptolocker.exe	hurok.exe
PID 1232 wrote to memory of 4172	1232	2024-02-12_e2d6cf7cf4d76cdcd5fd27d999ffc6f4_cryptolocker.exe	hurok.exe
PID 1232 wrote to memory of 4172	1232	2024-02-12_e2d6cf7cf4d76cdcd5fd27d999ffc6f4_cryptolocker.exe	hurok.exe

C:\Users\Admin\AppData\Local\Temp\2024-02-12_e2d6cf7cf4d76cdcd5fd27d999ffc6f4_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-12_e2d6cf7cf4d76cdcd5fd27d999ffc6f4_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1232

C:\Users\Admin\AppData\Local\Temp\hurok.exe
"C:\Users\Admin\AppData\Local\Temp\hurok.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
PID:4172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hurok.exe

Filesize
49KB

MD5
b6e6e79a530d0e01ad19059e5cc2ca00

SHA1
942b46b14b106c3529bcb92c1834ad84ffc7d484

SHA256
e6010ed05bc03f3c130594984614e453817512bc00e1c67e1029b97f33592947

SHA512
c03d3d53abed4b05e39a66c7ba63b75b293af490f9caef9bbd34bc46996f1f56b1323144f516ef8cccfeb9d7b60be8f6c57d2bbfb48b453a93ff71585babc92b

Download Submit
C:\Users\Admin\AppData\Local\Temp\hurrok.exe

Filesize
1KB

MD5
80233886531badd948cc965c948d3828

SHA1
63a081363eb6a200ed731ae49e9de8c96ba6b79f

SHA256
bae99dee83b075e165a613dfeca6b9688024770c5d956075f353ceb1166b8981

SHA512
49f74644836ef4e5b6b8afdec479ee8d6d1dc77aa1f3ad9c3d9d6a1b72528b6991c163ba5c107c1e904f3633661cae305923f3f468f6eff22c5fe3bf76466844

Download Submit
memory/1232-0-0x00000000021C0000-0x00000000021C6000-memory.dmp

Filesize
24KB

Download
memory/1232-1-0x00000000021C0000-0x00000000021C6000-memory.dmp

Filesize
24KB

Download
memory/1232-2-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/4172-20-0x00000000005A0000-0x00000000005A6000-memory.dmp

Filesize
24KB

Download