e1605a4d7169839a9502960d561f49d084210fb241ec7eeb229c55adaa3c903d

Analysis

max time kernel
134s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 20:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-22_fd0cce3abba6b2d10f77661f70b71b32_cryptolocker.exe
Size

65KB
MD5

fd0cce3abba6b2d10f77661f70b71b32
SHA1

a149ec18e4b94e2bbe6a752926f61658a863eea5
SHA256

e1605a4d7169839a9502960d561f49d084210fb241ec7eeb229c55adaa3c903d
SHA512

93ba97240a42d42ef958607b871ce7bcab59b5f4078d4ad5a0f163a3365bfdb39543274999e5c7d0773ced41a87c96309f3d082a2d7573d53fae33efb0123c81
SSDEEP

1536:o1KhxqwtdgI2MyzNORQtOflIwoHNV2XBFV72BOlA7ZszudnYTjipvF299Nh:aq7tdgI2MyzNORQtOflIwoHNV2XBFV7j

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\hurok.exe	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\hurok.exe	CryptoLocker_set1

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2024-05-22_fd0cce3abba6b2d10f77661f70b71b32_cryptolocker.exehurok.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	2024-05-22_fd0cce3abba6b2d10f77661f70b71b32_cryptolocker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	hurok.exe

Executes dropped EXE 1 IoCs

Processes:

hurok.exe

pid process

5040 hurok.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
5040	hurok.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

2024-05-22_fd0cce3abba6b2d10f77661f70b71b32_cryptolocker.exe

description	pid	process	target process
PID 548 wrote to memory of 5040	548	2024-05-22_fd0cce3abba6b2d10f77661f70b71b32_cryptolocker.exe	hurok.exe
PID 548 wrote to memory of 5040	548	2024-05-22_fd0cce3abba6b2d10f77661f70b71b32_cryptolocker.exe	hurok.exe
PID 548 wrote to memory of 5040	548	2024-05-22_fd0cce3abba6b2d10f77661f70b71b32_cryptolocker.exe	hurok.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-22_fd0cce3abba6b2d10f77661f70b71b32_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-22_fd0cce3abba6b2d10f77661f70b71b32_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:548
- C:\Users\Admin\AppData\Local\Temp\hurok.exe
  "C:\Users\Admin\AppData\Local\Temp\hurok.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:5040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hurok.exe

Filesize
65KB

MD5
d6a3b7edff4e6de9ed503afab5dc0f9e

SHA1
25e902fd47c5d9096409bb1652d1daaa60a5281f

SHA256
107224ed4cbe3f2e224ed8df0c5335d82b15d56f7d7e2d84d9475f0d99fa1b8a

SHA512
a1ad87052ee1329d34209ea59f6a8ee47d17664c708465c967ea14f376949f793115a5dc40e1ac17fbad88cccbd3d52dc9d311281719ca47b79e5774ce3a734c

Download Submit
memory/548-0-0x00000000005A0000-0x00000000005A6000-memory.dmp

Filesize
24KB

Download
memory/548-1-0x00000000005A0000-0x00000000005A6000-memory.dmp

Filesize
24KB

Download
memory/548-2-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/5040-25-0x0000000000620000-0x0000000000626000-memory.dmp

Filesize
24KB

Download