bab2f343478d89a0c6ed3a0b7b053bb03ef5a41159095b3eb9e6bf9f3910189a

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
27/02/2024, 15:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-27_400b62f6e4f1e7c4029dd2cc9a65587d_cryptolocker.exe
Size

62KB
MD5

400b62f6e4f1e7c4029dd2cc9a65587d
SHA1

aed4a9a2ed26fcbddd353b2a8ae44b50b6cb0ca2
SHA256

bab2f343478d89a0c6ed3a0b7b053bb03ef5a41159095b3eb9e6bf9f3910189a
SHA512

300379bbedc281ac853bd5b78c00139947b3e07300808c6ae402dd006493ba449855e9357aa4a86f3d66fb9c8eb83d5c8b438cc4d0b30511251ee8b3dcd839bc
SSDEEP

1536:o1KhxqwtdgI2MyzNORQtOflIwoHNV2XBFV72BOlA7ZszsbKY1x/9lfL+gniDSAak:aq7tdgI2MyzNORQtOflIwoHNV2XBFV7v

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral2/files/0x000400000001e980-12.dat	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

resource	yara_rule
behavioral2/files/0x000400000001e980-12.dat	CryptoLocker_set1

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	2024-02-27_400b62f6e4f1e7c4029dd2cc9a65587d_cryptolocker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	hurok.exe

Executes dropped EXE 1 IoCs

pid	Process
1292	hurok.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 368 wrote to memory of 1292	368	2024-02-27_400b62f6e4f1e7c4029dd2cc9a65587d_cryptolocker.exe	87
PID 368 wrote to memory of 1292	368	2024-02-27_400b62f6e4f1e7c4029dd2cc9a65587d_cryptolocker.exe	87
PID 368 wrote to memory of 1292	368	2024-02-27_400b62f6e4f1e7c4029dd2cc9a65587d_cryptolocker.exe	87

C:\Users\Admin\AppData\Local\Temp\2024-02-27_400b62f6e4f1e7c4029dd2cc9a65587d_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-27_400b62f6e4f1e7c4029dd2cc9a65587d_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:368
- C:\Users\Admin\AppData\Local\Temp\hurok.exe
  "C:\Users\Admin\AppData\Local\Temp\hurok.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:1292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hurok.exe

Filesize
62KB

MD5
4246cf878440eb8384d7923ec7fda1d1

SHA1
74e5981b67518574042a8d8c3f216f64df23ce57

SHA256
c28402c58e1ad3e0579a04566a079e2e1d815946b719c25e129b3539b31b06c9

SHA512
6206059efb0fc7d614174099b9cf523793bcfcae98305cb2a54a649646a94db633d6351f5fb4a42a5a6497547011f8e1f76375ee3bfb074d8c1669539bce1364

Download Submit
memory/368-0-0x0000000002310000-0x0000000002316000-memory.dmp

Filesize
24KB

Download
memory/368-1-0x0000000002310000-0x0000000002316000-memory.dmp

Filesize
24KB

Download
memory/368-2-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1292-22-0x0000000000590000-0x0000000000596000-memory.dmp

Filesize
24KB

Download