Analysis
-
max time kernel
135s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 02:51
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-22_db99634f581c422483cb54cb9a574e0c_cryptolocker.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
2024-05-22_db99634f581c422483cb54cb9a574e0c_cryptolocker.exe
Resource
win10v2004-20240426-en
General
-
Target
2024-05-22_db99634f581c422483cb54cb9a574e0c_cryptolocker.exe
-
Size
45KB
-
MD5
db99634f581c422483cb54cb9a574e0c
-
SHA1
f877958b1a1d81306db2a68135f605043ee6175d
-
SHA256
b1d6cc703e9d3a36ea9b51b6566ffb98f77ee5a0dbd68614d9f10a13900e3d4d
-
SHA512
2a8c19034eb984d72de702fe3d5b4aceef5fae1f5d1c0bf6d1f789d527aab3d5b5ce41467d9654e16ad1db7cdcaa5c3cfe02523fa4e25b6b6037bb99fc3e897d
-
SSDEEP
768:Kf1K2exg2kBwtdgI2MyzNORQtOflIwoHNV2XBFV72BOlA7ZsBGGpebVIYLHA3Kx2:o1KhxqwtdgI2MyzNORQtOflIwoHNV2Xb
Malware Config
Signatures
-
Detection of CryptoLocker Variants 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\hurok.exe CryptoLocker_rule2 -
Detection of Cryptolocker Samples 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\hurok.exe CryptoLocker_set1 -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2024-05-22_db99634f581c422483cb54cb9a574e0c_cryptolocker.exehurok.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation 2024-05-22_db99634f581c422483cb54cb9a574e0c_cryptolocker.exe Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation hurok.exe -
Executes dropped EXE 1 IoCs
Processes:
hurok.exepid process 700 hurok.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
2024-05-22_db99634f581c422483cb54cb9a574e0c_cryptolocker.exedescription pid process target process PID 3956 wrote to memory of 700 3956 2024-05-22_db99634f581c422483cb54cb9a574e0c_cryptolocker.exe hurok.exe PID 3956 wrote to memory of 700 3956 2024-05-22_db99634f581c422483cb54cb9a574e0c_cryptolocker.exe hurok.exe PID 3956 wrote to memory of 700 3956 2024-05-22_db99634f581c422483cb54cb9a574e0c_cryptolocker.exe hurok.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-22_db99634f581c422483cb54cb9a574e0c_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-22_db99634f581c422483cb54cb9a574e0c_cryptolocker.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\hurok.exe"C:\Users\Admin\AppData\Local\Temp\hurok.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\hurok.exeFilesize
45KB
MD51be9e58349fa03d51abf3bbb6d26fa7d
SHA15b617a397e1cc37385921867fe85826117a4e1ef
SHA2567db44e99acfdf865113d722dce5e9d16e67f6bc31d698adcc8ab567700cb87a4
SHA512723a651419aa43b9e25830c4e637b7c00933d6c47ccc818a9f35fd52eff096f5a3b9c9736e909c078e0339579ef3438591dac4a55a41b9fd6436e4845f589446
-
memory/700-25-0x00000000006A0000-0x00000000006A6000-memory.dmpFilesize
24KB
-
memory/3956-0-0x0000000001FC0000-0x0000000001FC6000-memory.dmpFilesize
24KB
-
memory/3956-1-0x0000000000400000-0x0000000000406000-memory.dmpFilesize
24KB
-
memory/3956-8-0x0000000001FC0000-0x0000000001FC6000-memory.dmpFilesize
24KB