98699d0fb1a25a4cb75e29344b4ca9de6415418bc262a20df13c9b0e2884aba8

Analysis

max time kernel
137s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
04/04/2024, 20:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-04_1e1855c5748c8f5d43f9811b7e038ff3_cryptolocker.exe
Size

51KB
MD5

1e1855c5748c8f5d43f9811b7e038ff3
SHA1

c6eee4ba5c4596f23e8803acd6b573a8393c9be4
SHA256

98699d0fb1a25a4cb75e29344b4ca9de6415418bc262a20df13c9b0e2884aba8
SHA512

5d65a75a4720fc5e4a954286fb5afeca7371f016731126e6101ca14ff706a070a7a09cc6188fc1420e878d83a3db8ee6cfbd022bdb7c5718e6eec6ae6cade6dd
SSDEEP

1536:o1KhxqwtdgI2MyzNORQtOflIwoHNV2XBFV72BOlA7ZszsbKY1xzpAIKxpi:aq7tdgI2MyzNORQtOflIwoHNV2XBFV78

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral2/files/0x00020000000227ea-12.dat	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

resource	yara_rule
behavioral2/files/0x00020000000227ea-12.dat	CryptoLocker_set1

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	2024-04-04_1e1855c5748c8f5d43f9811b7e038ff3_cryptolocker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	hurok.exe

Executes dropped EXE 1 IoCs

pid	Process
2792	hurok.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4552 wrote to memory of 2792	4552	2024-04-04_1e1855c5748c8f5d43f9811b7e038ff3_cryptolocker.exe	95
PID 4552 wrote to memory of 2792	4552	2024-04-04_1e1855c5748c8f5d43f9811b7e038ff3_cryptolocker.exe	95
PID 4552 wrote to memory of 2792	4552	2024-04-04_1e1855c5748c8f5d43f9811b7e038ff3_cryptolocker.exe	95

C:\Users\Admin\AppData\Local\Temp\2024-04-04_1e1855c5748c8f5d43f9811b7e038ff3_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-04_1e1855c5748c8f5d43f9811b7e038ff3_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4552
- C:\Users\Admin\AppData\Local\Temp\hurok.exe
  "C:\Users\Admin\AppData\Local\Temp\hurok.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:2792

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3644 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:8
1⤵
PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hurok.exe

Filesize
51KB

MD5
a27b4e6073b005ad0c8e82cd1b80e2cc

SHA1
b2909a1b9fe6d59ceb83a24a5c5a18ecbc89ab55

SHA256
813d22a5c875625672dc5a31e81fbbe9064001e7914a8a453365dc6560a6ecc1

SHA512
5adef77616a386b6cad32d4ea7bcfa67402019eb401bc4514270af268efea0012a13e09558fb0659919653536084013dc048345d88999f99c92e4a436fd27a31

Download Submit
memory/2792-22-0x0000000000590000-0x0000000000596000-memory.dmp

Filesize
24KB

Download
memory/4552-0-0x0000000002130000-0x0000000002136000-memory.dmp

Filesize
24KB

Download
memory/4552-1-0x0000000002130000-0x0000000002136000-memory.dmp

Filesize
24KB

Download
memory/4552-2-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download