3ff14b3547c59c4b345e67444e7b4e94d0e179fecd764ff8d258cecf598900b9

Analysis

max time kernel
143s
max time network
217s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
24/02/2024, 06:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-24_8e0f8498f08138d2353e7a25eaba8bcd_cryptolocker.exe
Size

62KB
MD5

8e0f8498f08138d2353e7a25eaba8bcd
SHA1

66f8c905949d585532154f36772e5b6bfd0fde13
SHA256

3ff14b3547c59c4b345e67444e7b4e94d0e179fecd764ff8d258cecf598900b9
SHA512

64c43fe1880129007945aeaa8c1989080ab45ca7a289d6d349fdbbb70e9461e2d26ff5d816c828f637a73ff511011ce4536ac280dd71d0a62907b4c58b6fee79
SSDEEP

1536:o1KhxqwtdgI2MyzNORQtOflIwoHNV2XBFV72BOlA7ZszsbKY1x/9lfL+gniDSAag:aq7tdgI2MyzNORQtOflIwoHNV2XBFV77

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral2/files/0x0006000000023224-12.dat	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

resource	yara_rule
behavioral2/files/0x0006000000023224-12.dat	CryptoLocker_set1

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3538781373-1545967067-4263767959-1000\Control Panel\International\Geo\Nation	2024-02-24_8e0f8498f08138d2353e7a25eaba8bcd_cryptolocker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3538781373-1545967067-4263767959-1000\Control Panel\International\Geo\Nation	hurok.exe

Executes dropped EXE 1 IoCs

pid	Process
4668	hurok.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3128 wrote to memory of 4668	3128	2024-02-24_8e0f8498f08138d2353e7a25eaba8bcd_cryptolocker.exe	91
PID 3128 wrote to memory of 4668	3128	2024-02-24_8e0f8498f08138d2353e7a25eaba8bcd_cryptolocker.exe	91
PID 3128 wrote to memory of 4668	3128	2024-02-24_8e0f8498f08138d2353e7a25eaba8bcd_cryptolocker.exe	91

C:\Users\Admin\AppData\Local\Temp\2024-02-24_8e0f8498f08138d2353e7a25eaba8bcd_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-24_8e0f8498f08138d2353e7a25eaba8bcd_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3128
- C:\Users\Admin\AppData\Local\Temp\hurok.exe
  "C:\Users\Admin\AppData\Local\Temp\hurok.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:4668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hurok.exe

Filesize
62KB

MD5
a26cc650fdc48cf4fa25bfeb5f7c4d58

SHA1
2082faaa0995d2da4e9c2dcc2a3795ee4ca16c1c

SHA256
7794df28425e8e3d7d898f9c841a70221ad0920592c1dcd72e40ccd22d066c2f

SHA512
53a7a35258a2fe3e2a61708ad5918d183c8c7e88356b52eba0d7b9260047a7a576a7093abdd1e558a88e9bc7ade8a2223105985886cf6785bd503b9080703e60

Download Submit
memory/3128-0-0x00000000005F0000-0x00000000005F6000-memory.dmp

Filesize
24KB

Download
memory/3128-2-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/3128-1-0x00000000005F0000-0x00000000005F6000-memory.dmp

Filesize
24KB

Download
memory/4668-21-0x0000000001F40000-0x0000000001F46000-memory.dmp

Filesize
24KB

Download