67ce5eff95b6ee1aa7ca19b0dbd31fda4310c03252e9cf9664be0a1878d41f97

Analysis

max time kernel
143s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11/03/2024, 05:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-11_9443069260b74355e93927f95a8d11c2_cryptolocker.exe
Size

43KB
MD5

9443069260b74355e93927f95a8d11c2
SHA1

dba9a8856a3d314e1abfc68ebc4b3b082ce043cf
SHA256

67ce5eff95b6ee1aa7ca19b0dbd31fda4310c03252e9cf9664be0a1878d41f97
SHA512

1d37cf74e1735e0e35abfe62b41bdca8c9fc9b53e21aa27f48b2de6813fc2c04168e941acd3045373c02d42abcd037154e7c5d3bd938fd15d59cab32159e1edb
SSDEEP

768:Kf1K2exg2kBwtdgI2MyzNORQtOflIwoHNV2XBFV72BOlA7ZsBGGpebVIYLHA3Kxa:o1KhxqwtdgI2MyzNORQtOflIwoHNV2Xf

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023247-13.dat	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023247-13.dat	CryptoLocker_set1

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	hurok.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	2024-03-11_9443069260b74355e93927f95a8d11c2_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
3524	hurok.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3604 wrote to memory of 3524	3604	2024-03-11_9443069260b74355e93927f95a8d11c2_cryptolocker.exe	99
PID 3604 wrote to memory of 3524	3604	2024-03-11_9443069260b74355e93927f95a8d11c2_cryptolocker.exe	99
PID 3604 wrote to memory of 3524	3604	2024-03-11_9443069260b74355e93927f95a8d11c2_cryptolocker.exe	99

C:\Users\Admin\AppData\Local\Temp\2024-03-11_9443069260b74355e93927f95a8d11c2_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-11_9443069260b74355e93927f95a8d11c2_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3604
- C:\Users\Admin\AppData\Local\Temp\hurok.exe
  "C:\Users\Admin\AppData\Local\Temp\hurok.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:3524

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3720 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:8
1⤵
PID:1076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hurok.exe

Filesize
44KB

MD5
24f0e6cdcb8ba349d89aa82ec41e09ba

SHA1
55e69637734c408d698e765c7de8e5b61eb0cb65

SHA256
e43fe753c947e4580713fdc2b01d002f42f859958015ee20d020ca4d1816b6de

SHA512
6b9d121ec9be79315b1906bc0f1d41fdda48b5de33ae2561b6464e830ecaf74ea4b9bf8026d9e9b05c33f5dbc9daaa92ff644e32443fc817775d47f954a1c322

Download Submit
memory/3524-18-0x0000000000590000-0x0000000000596000-memory.dmp

Filesize
24KB

Download
memory/3604-0-0x0000000000660000-0x0000000000666000-memory.dmp

Filesize
24KB

Download
memory/3604-1-0x0000000000660000-0x0000000000666000-memory.dmp

Filesize
24KB

Download
memory/3604-2-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download