dc79a810d75356fc56714df331da3ab43d214755d8a15b008d83f165aa7c000b

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
26/03/2024, 22:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-03-26_d7b6593839d5d919e7cbdfa2c45df46d_cryptolocker.exe
Size

66KB
MD5

d7b6593839d5d919e7cbdfa2c45df46d
SHA1

f880f31b2ab1706115cf4fa38318ee610b219674
SHA256

dc79a810d75356fc56714df331da3ab43d214755d8a15b008d83f165aa7c000b
SHA512

545270f20e118aaf8dddf0af12acc082d8cffe28b40277212416682b1c710aba244b7cc96dc813b7236067bd22015c3eed901ec0a04bcef7a0ead1f84a2065a0
SSDEEP

1536:o1KhxqwtdgI2MyzNORQtOflIwoHNV2XBFV72BOlA7ZszudnYTjipvF293vaRLD:aq7tdgI2MyzNORQtOflIwoHNV2XBFV72

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023219-12.dat	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023219-12.dat	CryptoLocker_set1

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	2024-03-26_d7b6593839d5d919e7cbdfa2c45df46d_cryptolocker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	hurok.exe

Executes dropped EXE 1 IoCs

pid	Process
3644	hurok.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4892 wrote to memory of 3644	4892	2024-03-26_d7b6593839d5d919e7cbdfa2c45df46d_cryptolocker.exe	91
PID 4892 wrote to memory of 3644	4892	2024-03-26_d7b6593839d5d919e7cbdfa2c45df46d_cryptolocker.exe	91
PID 4892 wrote to memory of 3644	4892	2024-03-26_d7b6593839d5d919e7cbdfa2c45df46d_cryptolocker.exe	91

C:\Users\Admin\AppData\Local\Temp\2024-03-26_d7b6593839d5d919e7cbdfa2c45df46d_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-26_d7b6593839d5d919e7cbdfa2c45df46d_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4892
- C:\Users\Admin\AppData\Local\Temp\hurok.exe
  "C:\Users\Admin\AppData\Local\Temp\hurok.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:3644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hurok.exe

Filesize
66KB

MD5
c255eeb8cff88e3eac75f2f1a9a60103

SHA1
1e15d039f6d8f71b74428dd82feccd18c4d3bda0

SHA256
9e5beaaf07bdf5f7e0bd4e462662638d44e990652fc459e8120c92be4009a69e

SHA512
f3af12d672b001c25d0bb11999112dc27015f06af4472ccb9f49b765766cfeb164a691e07b3a66f64d9d45092df33c54c8086f0778616244fb0d7426203200f0

Download Submit
memory/3644-21-0x0000000002040000-0x0000000002046000-memory.dmp

Filesize
24KB

Download
memory/4892-0-0x00000000005A0000-0x00000000005A6000-memory.dmp

Filesize
24KB

Download
memory/4892-1-0x00000000005A0000-0x00000000005A6000-memory.dmp

Filesize
24KB

Download
memory/4892-2-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download