4cbeb8453c0a5179d80810dbe628817252b8a839e34f7aa861234145ebeb6160

Analysis

max time kernel
89s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
14-02-2024 14:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-14_a8f8260742b3459cfdc6200de4d1e0cd_cryptolocker.exe
Size

61KB
MD5

a8f8260742b3459cfdc6200de4d1e0cd
SHA1

df16d863b451663334e2e8d12c7ea2acef62d34e
SHA256

4cbeb8453c0a5179d80810dbe628817252b8a839e34f7aa861234145ebeb6160
SHA512

ddd68842445dd4df268adec6f03815f8aa0c350aa3a7a0527ba53ea69636fbbaa3d099f10c1a038b61a3638f1795027fc48adc134b100321b81fb6d8b004365f
SSDEEP

1536:o1KhxqwtdgI2MyzNORQtOflIwoHNV2XBFV72BOlA7ZszudnYTjipvF293s+:aq7tdgI2MyzNORQtOflIwoHNV2XBFV7B

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral2/files/0x000f00000002315a-12.dat	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

resource	yara_rule
behavioral2/files/0x000f00000002315a-12.dat	CryptoLocker_set1

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	2024-02-14_a8f8260742b3459cfdc6200de4d1e0cd_cryptolocker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	hurok.exe

Executes dropped EXE 1 IoCs

pid	Process
4984	hurok.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5196 wrote to memory of 4984	5196	2024-02-14_a8f8260742b3459cfdc6200de4d1e0cd_cryptolocker.exe	85
PID 5196 wrote to memory of 4984	5196	2024-02-14_a8f8260742b3459cfdc6200de4d1e0cd_cryptolocker.exe	85
PID 5196 wrote to memory of 4984	5196	2024-02-14_a8f8260742b3459cfdc6200de4d1e0cd_cryptolocker.exe	85

C:\Users\Admin\AppData\Local\Temp\2024-02-14_a8f8260742b3459cfdc6200de4d1e0cd_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-14_a8f8260742b3459cfdc6200de4d1e0cd_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5196
- C:\Users\Admin\AppData\Local\Temp\hurok.exe
  "C:\Users\Admin\AppData\Local\Temp\hurok.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:4984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hurok.exe

Filesize
61KB

MD5
def093d51c6bbe60f39283baefade068

SHA1
e1781c575b41a9b3a9c066e3a979a01b07344813

SHA256
000d09ea4ed3d25a4302770eab33394a816d2e0d8e39ce02e20986a583c358e1

SHA512
3c24f072bf78aff5c7d48ff4d2c02016d54c028f773088944a138dbf3f381494b4cb076720447bbfe34914a8a2faf307e78b558e094a23cfe402a99a565c1db9

Download Submit
C:\Users\Admin\AppData\Local\Temp\hurrok.exe

Filesize
1KB

MD5
f6ad63416930c05203948c154d166c0a

SHA1
65fc40eadb3309edb884a5e330eef6654548876e

SHA256
c773e074a2646a29b421bbe9905fdfaba0d0ef29261d80ab57e5bfc2fdeaffc3

SHA512
ec0e7dff92459b786f40ffb56b3b3f08f1790b66d53079684b1f54a457c3460298b1d1853eec00a2a136119f95122c6cd9c1999da5ce1e56340e2605692d9c69

Download Submit
memory/4984-21-0x00000000005B0000-0x00000000005B6000-memory.dmp

Filesize
24KB

Download
memory/5196-0-0x00000000005E0000-0x00000000005E6000-memory.dmp

Filesize
24KB

Download
memory/5196-1-0x00000000005E0000-0x00000000005E6000-memory.dmp

Filesize
24KB

Download
memory/5196-2-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download