b1d6cc703e9d3a36ea9b51b6566ffb98f77ee5a0dbd68614d9f10a13900e3d4d

Analysis

max time kernel
135s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 02:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-22_db99634f581c422483cb54cb9a574e0c_cryptolocker.exe
Size

45KB
MD5

db99634f581c422483cb54cb9a574e0c
SHA1

f877958b1a1d81306db2a68135f605043ee6175d
SHA256

b1d6cc703e9d3a36ea9b51b6566ffb98f77ee5a0dbd68614d9f10a13900e3d4d
SHA512

2a8c19034eb984d72de702fe3d5b4aceef5fae1f5d1c0bf6d1f789d527aab3d5b5ce41467d9654e16ad1db7cdcaa5c3cfe02523fa4e25b6b6037bb99fc3e897d
SSDEEP

768:Kf1K2exg2kBwtdgI2MyzNORQtOflIwoHNV2XBFV72BOlA7ZsBGGpebVIYLHA3Kx2:o1KhxqwtdgI2MyzNORQtOflIwoHNV2Xb

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\hurok.exe	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\hurok.exe	CryptoLocker_set1

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2024-05-22_db99634f581c422483cb54cb9a574e0c_cryptolocker.exehurok.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	2024-05-22_db99634f581c422483cb54cb9a574e0c_cryptolocker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	hurok.exe

Executes dropped EXE 1 IoCs

Processes:

hurok.exe

pid process

700 hurok.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
700	hurok.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

2024-05-22_db99634f581c422483cb54cb9a574e0c_cryptolocker.exe

description	pid	process	target process
PID 3956 wrote to memory of 700	3956	2024-05-22_db99634f581c422483cb54cb9a574e0c_cryptolocker.exe	hurok.exe
PID 3956 wrote to memory of 700	3956	2024-05-22_db99634f581c422483cb54cb9a574e0c_cryptolocker.exe	hurok.exe
PID 3956 wrote to memory of 700	3956	2024-05-22_db99634f581c422483cb54cb9a574e0c_cryptolocker.exe	hurok.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-22_db99634f581c422483cb54cb9a574e0c_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-22_db99634f581c422483cb54cb9a574e0c_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3956

C:\Users\Admin\AppData\Local\Temp\hurok.exe
"C:\Users\Admin\AppData\Local\Temp\hurok.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
PID:700

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hurok.exe
Filesize
45KB

MD5
1be9e58349fa03d51abf3bbb6d26fa7d

SHA1
5b617a397e1cc37385921867fe85826117a4e1ef

SHA256
7db44e99acfdf865113d722dce5e9d16e67f6bc31d698adcc8ab567700cb87a4

SHA512
723a651419aa43b9e25830c4e637b7c00933d6c47ccc818a9f35fd52eff096f5a3b9c9736e909c078e0339579ef3438591dac4a55a41b9fd6436e4845f589446

Download Submit
memory/700-25-0x00000000006A0000-0x00000000006A6000-memory.dmp

Filesize
24KB

Download
memory/3956-0-0x0000000001FC0000-0x0000000001FC6000-memory.dmp

Filesize
24KB

Download
memory/3956-1-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/3956-8-0x0000000001FC0000-0x0000000001FC6000-memory.dmp

Filesize
24KB

Download