Overview

overview

10

Static

static

10

2024-02-13...er.exe

windows7-x64

9

2024-02-13...er.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    87s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/02/2024, 22:25

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-02-13_29849f52c9906f26bb512ce7d16146a7_cryptolocker.exe

  • Size

    30KB

  • MD5

    29849f52c9906f26bb512ce7d16146a7

  • SHA1

    a7ec36a064618def62f51be689975d3bb1afc000

  • SHA256

    d81b66f6c775d565704b332c7981c8d566a51f9b7872496c8e1a26b2d7ca33da

  • SHA512

    fe73e923a5e0e72f3418cb86977f49796bba7851be3ec51c42433b5f7d2627a9f84358c9582a0b14a54706490a37bb305ca1b595eb7dee470a3fb5b51d0cbd9e

  • SSDEEP

    768:Kf1K2exg2kBwtdgI2MyzNORQtOflIwoHNV2XBFV72BOlA7ZsBGGp/YIm77X:o1KhxqwtdgI2MyzNORQtOflIwoHNV2Xw

Score
9/10

Malware Config

Signatures

  • Detection of CryptoLocker Variants 1 IoCs
  • Detection of Cryptolocker Samples 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-02-13_29849f52c9906f26bb512ce7d16146a7_cryptolocker.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-02-13_29849f52c9906f26bb512ce7d16146a7_cryptolocker.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3488
    • C:\Users\Admin\AppData\Local\Temp\hurok.exe
      "C:\Users\Admin\AppData\Local\Temp\hurok.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      PID:1620

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\hurok.exe
          Filesize

          31KB

          MD5

          a7b0319a26680a11db9db9acb7682b1c

          SHA1

          be1aa2a2d9d656423b0b2ef73e30566cbdd3488e

          SHA256

          cda3805d9830b4093e9f06ac5c4e28522334124605298907e2b2b9865aeb0430

          SHA512

          dd659ae2dc66210d9b653642f981d874f0a818548f41dbc7c454c0d833fa0d14a59e618ec0973805a2606549abed02acbb335c6fc329dc48ce34c1128a5e255a

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\hurrok.exe
          Filesize

          1KB

          MD5

          e08bb55fd7094fc01f479996a02114e1

          SHA1

          801e5aa003e6900219ac43ceef4b58cf1ce1af6b

          SHA256

          252cc051e266c6283d4fa5898382b43407dfbe13beabca6495d4c7429b853779

          SHA512

          4f87e6ee9ba26ed1bba91e9815157be216f430f92ab8e97ce64487a3bbd387a6e21e57c2b27a5fe1a094490699e4ade9ea1b403687f2fa049d53e575633c28aa

          Download Submit

        • memory/1620-25-0x0000000000480000-0x0000000000486000-memory.dmp

          Filesize

          24KB

          Download

        • memory/3488-0-0x00000000004D0000-0x00000000004D6000-memory.dmp

          Filesize

          24KB

          Download

        • memory/3488-1-0x00000000004D0000-0x00000000004D6000-memory.dmp

          Filesize

          24KB

          Download

        • memory/3488-2-0x0000000000400000-0x0000000000406000-memory.dmp

          Filesize

          24KB

          Download