f1d7d9f71a182886d7015e9144445398bcde443206c320ce51867063ed210782

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29/05/2024, 00:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-29_446048652f4dd40187354e9ac4aa013f_cryptolocker.exe
Size

38KB
MD5

446048652f4dd40187354e9ac4aa013f
SHA1

b3259b926d1acbd77d59c4c1eac983339da62a9d
SHA256

f1d7d9f71a182886d7015e9144445398bcde443206c320ce51867063ed210782
SHA512

022ae2dfc75a50ac4565648356ceb0849d0e1d8cd7aa4354b0455315f5b0d3e32277d7004553a5a5eb715851ca6261bf2e7cf722f3f139af0b933b55e7093365
SSDEEP

768:Kf1K2exg2kBwtdgI2MyzNORQtOflIwoHNV2XBFV72BOlA7ZsBGGp/YIm7wm0WZye:o1KhxqwtdgI2MyzNORQtOflIwoHNV2Xc

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral2/files/0x000d000000023383-12.dat	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

resource	yara_rule
behavioral2/files/0x000d000000023383-12.dat	CryptoLocker_set1

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	2024-05-29_446048652f4dd40187354e9ac4aa013f_cryptolocker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	hurok.exe

Executes dropped EXE 1 IoCs

pid	Process
2864	hurok.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 900 wrote to memory of 2864	900	2024-05-29_446048652f4dd40187354e9ac4aa013f_cryptolocker.exe	85
PID 900 wrote to memory of 2864	900	2024-05-29_446048652f4dd40187354e9ac4aa013f_cryptolocker.exe	85
PID 900 wrote to memory of 2864	900	2024-05-29_446048652f4dd40187354e9ac4aa013f_cryptolocker.exe	85

C:\Users\Admin\AppData\Local\Temp\2024-05-29_446048652f4dd40187354e9ac4aa013f_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-29_446048652f4dd40187354e9ac4aa013f_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:900
- C:\Users\Admin\AppData\Local\Temp\hurok.exe
  "C:\Users\Admin\AppData\Local\Temp\hurok.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hurok.exe

Filesize
38KB

MD5
19d0a61041e80f807945d3566a6d4217

SHA1
e111923c344ea27f87000f704a67067b835629ea

SHA256
9eeef5fa1d43f0a20b1078239a0894aa6533f71da9ee02f8eae854c3742a1f21

SHA512
8928afb34e03a7457bf4098d1f926e738408774bb901433cc7ca387395bd37b95940ce8cf79aa45b75031435bb578be64fc9ea675845d9dde2de68052f035d8c

Download Submit
memory/900-0-0x0000000001F40000-0x0000000001F46000-memory.dmp

Filesize
24KB

Download
memory/900-1-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/900-8-0x0000000001F40000-0x0000000001F46000-memory.dmp

Filesize
24KB

Download