a08527f653acf5a6fbf5f19cb3f6eed3a62e2de34b168afcc67542874c4fb93d

Analysis

max time kernel
141s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
21-05-2024 15:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-21_668c0bf4b7f161769921c15317db6b65_cryptolocker.exe
Size

38KB
MD5

668c0bf4b7f161769921c15317db6b65
SHA1

a0cc35f8074a8bf0d5cfcbaec2c4de403ef9d18b
SHA256

a08527f653acf5a6fbf5f19cb3f6eed3a62e2de34b168afcc67542874c4fb93d
SHA512

3a52ee7624478ae16eb65bd16b6899e79ffe5b02d4e0779dbe020afdbfd941e00818cc96e2467b8060cf8b38ee859165aa960a03de676c279a6a2a8270376e62
SSDEEP

768:Kf1K2exg2kBwtdgI2MyzNORQtOflIwoHNV2XBFV72BOlA7ZsBGGp/YIm7wm0WZyS:o1KhxqwtdgI2MyzNORQtOflIwoHNV2X4

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\hurok.exe	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\hurok.exe	CryptoLocker_set1

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2024-05-21_668c0bf4b7f161769921c15317db6b65_cryptolocker.exehurok.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	2024-05-21_668c0bf4b7f161769921c15317db6b65_cryptolocker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	hurok.exe

Executes dropped EXE 1 IoCs

Processes:

hurok.exe

pid process

1000 hurok.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1000	hurok.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

2024-05-21_668c0bf4b7f161769921c15317db6b65_cryptolocker.exe

description	pid	process	target process
PID 4152 wrote to memory of 1000	4152	2024-05-21_668c0bf4b7f161769921c15317db6b65_cryptolocker.exe	hurok.exe
PID 4152 wrote to memory of 1000	4152	2024-05-21_668c0bf4b7f161769921c15317db6b65_cryptolocker.exe	hurok.exe
PID 4152 wrote to memory of 1000	4152	2024-05-21_668c0bf4b7f161769921c15317db6b65_cryptolocker.exe	hurok.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-21_668c0bf4b7f161769921c15317db6b65_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-21_668c0bf4b7f161769921c15317db6b65_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4152
- C:\Users\Admin\AppData\Local\Temp\hurok.exe
  "C:\Users\Admin\AppData\Local\Temp\hurok.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:1000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hurok.exe

Filesize
38KB

MD5
d04ab9c833b1996430858b77d101b521

SHA1
0e382f3a4ede3355e42802cf581156dda6ad3596

SHA256
ef5c529f7ca6ac96932be1891a03c4e83afb512c3063da1d706e5151b4826cdb

SHA512
21341cc44aa95908eadc8af1a86a3b9f2a284fee2e618ca899220743e914a43e567183a594ecfca213440c3d78ce430ed61b8e05870f9eaf88b1d14589370f9b

Download Submit
memory/1000-25-0x00000000005A0000-0x00000000005A6000-memory.dmp

Filesize
24KB

Download
memory/4152-0-0x0000000000590000-0x0000000000596000-memory.dmp

Filesize
24KB

Download
memory/4152-1-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/4152-8-0x0000000000590000-0x0000000000596000-memory.dmp

Filesize
24KB

Download