cf45d34e3c17f3b58f9f25b230b66812248d477011179b6b5f70f70a0d7830fe

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
27-04-2024 23:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-27_979e0551765ddfd181bc14ed08bdedba_cryptolocker.exe
Size

67KB
MD5

979e0551765ddfd181bc14ed08bdedba
SHA1

e13604a93a65d1fb486cae1b9462126841109cf2
SHA256

cf45d34e3c17f3b58f9f25b230b66812248d477011179b6b5f70f70a0d7830fe
SHA512

80afa7b99dc821ff10450ca906f086ecf2d1f967c3a461f35a026b200a8e1d88cb69363c3e079f27f3cf19b7092e40f2dafa2e7e34e9b3c4b3379856a25ae1b7
SSDEEP

1536:o1KhxqwtdgI2MyzNORQtOflIwoHNV2XBFV72BOlA7ZszudnYTjipvF293vaRLo:aq7tdgI2MyzNORQtOflIwoHNV2XBFV75

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral2/files/0x000b000000023227-12.dat	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

resource	yara_rule
behavioral2/files/0x000b000000023227-12.dat	CryptoLocker_set1

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	hurok.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	2024-04-27_979e0551765ddfd181bc14ed08bdedba_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
4724	hurok.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 864 wrote to memory of 4724	864	2024-04-27_979e0551765ddfd181bc14ed08bdedba_cryptolocker.exe	89
PID 864 wrote to memory of 4724	864	2024-04-27_979e0551765ddfd181bc14ed08bdedba_cryptolocker.exe	89
PID 864 wrote to memory of 4724	864	2024-04-27_979e0551765ddfd181bc14ed08bdedba_cryptolocker.exe	89

C:\Users\Admin\AppData\Local\Temp\2024-04-27_979e0551765ddfd181bc14ed08bdedba_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-27_979e0551765ddfd181bc14ed08bdedba_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:864
- C:\Users\Admin\AppData\Local\Temp\hurok.exe
  "C:\Users\Admin\AppData\Local\Temp\hurok.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:4724

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4172 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
1⤵
PID:3044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hurok.exe

Filesize
67KB

MD5
cc0257ec9cc73c158e94deb9f5b69da3

SHA1
11e8becec7fca56f970b86639d7953cbb57af46f

SHA256
be5a878dc6ce12d33ede978b41d0e3cb87961cb0f554d1662081370f0090593f

SHA512
ead3ee2f152f8f3c04d6522c6840a4f57e98d8f805fafd0c84d2bc8effa90df4f594013cfbf99ed6a75dfc7aec0cef832b957e2c3e7742733ad3c10d027a7a1a

Download Submit
memory/864-0-0x0000000000510000-0x0000000000516000-memory.dmp

Filesize
24KB

Download
memory/864-1-0x0000000000510000-0x0000000000516000-memory.dmp

Filesize
24KB

Download
memory/864-2-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/4724-25-0x00000000004D0000-0x00000000004D6000-memory.dmp

Filesize
24KB

Download