Analysis
-
max time kernel
95s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
31/05/2024, 03:17
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-31_fb13e8ba9470c8b465a08fb52f8e5dbf_cryptolocker.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
2024-05-31_fb13e8ba9470c8b465a08fb52f8e5dbf_cryptolocker.exe
Resource
win10v2004-20240426-en
General
-
Target
2024-05-31_fb13e8ba9470c8b465a08fb52f8e5dbf_cryptolocker.exe
-
Size
68KB
-
MD5
fb13e8ba9470c8b465a08fb52f8e5dbf
-
SHA1
e55bcfc0e66f22ad7c6351b991ab7761603135e0
-
SHA256
a6f3a07018e6fc17a08dded59c71cd882bc44d5663ef86a77ddc7040e8425d52
-
SHA512
a0dea9db9bb99058fb4af13722b977a42df92c4dfebcd48a61b0777ebd0448e32d08ab8703cc36cf54d6ccd23f1055c15a9106c2d3d6903347137d775f2fae3f
-
SSDEEP
1536:o1KhxqwtdgI2MyzNORQtOflIwoHNV2XBFV72BOlA7ZszudnYTjipvF293vaRLE+:aq7tdgI2MyzNORQtOflIwoHNV2XBFV7G
Malware Config
Signatures
-
Detection of CryptoLocker Variants 1 IoCs
resource yara_rule behavioral2/files/0x00090000000226f2-12.dat CryptoLocker_rule2 -
Detection of Cryptolocker Samples 1 IoCs
resource yara_rule behavioral2/files/0x00090000000226f2-12.dat CryptoLocker_set1 -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation 2024-05-31_fb13e8ba9470c8b465a08fb52f8e5dbf_cryptolocker.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation hurok.exe -
Executes dropped EXE 1 IoCs
pid Process 548 hurok.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2132 wrote to memory of 548 2132 2024-05-31_fb13e8ba9470c8b465a08fb52f8e5dbf_cryptolocker.exe 81 PID 2132 wrote to memory of 548 2132 2024-05-31_fb13e8ba9470c8b465a08fb52f8e5dbf_cryptolocker.exe 81 PID 2132 wrote to memory of 548 2132 2024-05-31_fb13e8ba9470c8b465a08fb52f8e5dbf_cryptolocker.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-31_fb13e8ba9470c8b465a08fb52f8e5dbf_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-31_fb13e8ba9470c8b465a08fb52f8e5dbf_cryptolocker.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Users\Admin\AppData\Local\Temp\hurok.exe"C:\Users\Admin\AppData\Local\Temp\hurok.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
PID:548
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
69KB
MD56cbbb3c5b52b25d8687b2ad94b377d3f
SHA109f0a486bf2253e58cbdcd8187086eda51773dc9
SHA256624dcc8a87b56b8efcbebc631d10ec9201ddcb075840e506a4b6f719161f56b6
SHA5120e04f9a1cf53370a7e5a25e6bd0f401cc2d8b382478c3c252a06a89b637e06259c3aa091039fa8645c9ad7570a204b5fa44f61c40215287f52e8d976a670103c