830eb2cf0324cc27da428a82fb4a97dc1a919e1486995a66d61db7e359f23ca0

Analysis

max time kernel
89s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
18/02/2024, 06:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-18_4514b240a2b56dc9f4be056d968bb3b5_cryptolocker.exe
Size

47KB
MD5

4514b240a2b56dc9f4be056d968bb3b5
SHA1

66c70b813b214d26597b13078de6951f770aecae
SHA256

830eb2cf0324cc27da428a82fb4a97dc1a919e1486995a66d61db7e359f23ca0
SHA512

c4be838b122d13896d0a45af637ffef5c0534db8da809b654d965e478114975fe263c5a3903c28157b2c8ca7f8b4d7497b9f3b00642d44d7be26e2c2e1944a55
SSDEEP

768:Kf1K2exg2kBwtdgI2MyzNORQtOflIwoHNV2XBFV72BOlA7ZsBGGpebVIYLHA3KxV:o1KhxqwtdgI2MyzNORQtOflIwoHNV2Xk

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral2/files/0x00090000000231eb-12.dat	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

resource	yara_rule
behavioral2/files/0x00090000000231eb-12.dat	CryptoLocker_set1

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	2024-02-18_4514b240a2b56dc9f4be056d968bb3b5_cryptolocker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	hurok.exe

Executes dropped EXE 1 IoCs

pid	Process
2380	hurok.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 2380	2280	2024-02-18_4514b240a2b56dc9f4be056d968bb3b5_cryptolocker.exe	84
PID 2280 wrote to memory of 2380	2280	2024-02-18_4514b240a2b56dc9f4be056d968bb3b5_cryptolocker.exe	84
PID 2280 wrote to memory of 2380	2280	2024-02-18_4514b240a2b56dc9f4be056d968bb3b5_cryptolocker.exe	84

C:\Users\Admin\AppData\Local\Temp\2024-02-18_4514b240a2b56dc9f4be056d968bb3b5_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-18_4514b240a2b56dc9f4be056d968bb3b5_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Users\Admin\AppData\Local\Temp\hurok.exe
  "C:\Users\Admin\AppData\Local\Temp\hurok.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:2380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hurok.exe

Filesize
48KB

MD5
27ac739263b8589d2b0b6452259de223

SHA1
9315379e9495aa39ddd3b03bdde3809c0ac5a24d

SHA256
ac7cbf2f010fc575a512c811f8b3ce77c6f7ea754da79d312fc4afccffcda74e

SHA512
5bd529347b965d0290e43e768c7e68a9ecb2a397c7495e627bed71b6e0c0660ec5c7d3aadd18411dff46df7ef681342753250bf41eae880e3731439d1625d882

Download Submit
memory/2280-0-0x00000000006A0000-0x00000000006A6000-memory.dmp

Filesize
24KB

Download
memory/2280-1-0x00000000006A0000-0x00000000006A6000-memory.dmp

Filesize
24KB

Download
memory/2280-2-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2380-25-0x0000000001F40000-0x0000000001F46000-memory.dmp

Filesize
24KB

Download