06de7ed6335c3b3fd88ed9b419999d11298c6b3cc73252bf0f737f5bad5acb54

Analysis

max time kernel
91s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
09/06/2024, 09:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-06-09_c5bd3b2659b052582c99f43d9cd2076d_cryptolocker.exe
Size

65KB
MD5

c5bd3b2659b052582c99f43d9cd2076d
SHA1

0ac13b353a1e3de69c099ee8befbecf077dc0090
SHA256

06de7ed6335c3b3fd88ed9b419999d11298c6b3cc73252bf0f737f5bad5acb54
SHA512

f38f587189ef2bbf8bf000789dec78fe125bdd751ea2bb16c79c3bb322f254044688b2e036c60a33ccd70c9e65ab34f8266e486442747dff97f7d5a2d628023b
SSDEEP

1536:o1KhxqwtdgI2MyzNORQtOflIwoHNV2XBFV72BOlA7ZszsbKY1x/9lfL+gniDSAaB:aq7tdgI2MyzNORQtOflIwoHNV2XBFV7G

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral2/files/0x0005000000022f40-12.dat	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

resource	yara_rule
behavioral2/files/0x0005000000022f40-12.dat	CryptoLocker_set1

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	2024-06-09_c5bd3b2659b052582c99f43d9cd2076d_cryptolocker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	hurok.exe

Executes dropped EXE 1 IoCs

pid	Process
3824	hurok.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3552 wrote to memory of 3824	3552	2024-06-09_c5bd3b2659b052582c99f43d9cd2076d_cryptolocker.exe	82
PID 3552 wrote to memory of 3824	3552	2024-06-09_c5bd3b2659b052582c99f43d9cd2076d_cryptolocker.exe	82
PID 3552 wrote to memory of 3824	3552	2024-06-09_c5bd3b2659b052582c99f43d9cd2076d_cryptolocker.exe	82

C:\Users\Admin\AppData\Local\Temp\2024-06-09_c5bd3b2659b052582c99f43d9cd2076d_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-09_c5bd3b2659b052582c99f43d9cd2076d_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3552
- C:\Users\Admin\AppData\Local\Temp\hurok.exe
  "C:\Users\Admin\AppData\Local\Temp\hurok.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:3824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hurok.exe

Filesize
65KB

MD5
765a8b1ead6da64ae68cb4e498d62527

SHA1
e9edce0b089323e0c97a1e750eefba5552f05eb1

SHA256
e9d05aaebe35e6f5efd94abfcec33a7658e30a1b0f4ece8b51cd582b3ee89504

SHA512
e56187f8f7882b919158e53640657f9cf8bb59f5297a4f2d51352f30f6b7398d24e45cbac036403fc579a853e213ad2a8052c52bc1523e176f4902048ba1ba67

Download Submit
memory/3552-0-0x0000000001FC0000-0x0000000001FC6000-memory.dmp

Filesize
24KB

Download
memory/3552-1-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/3552-8-0x0000000001FC0000-0x0000000001FC6000-memory.dmp

Filesize
24KB

Download
memory/3824-25-0x00000000020C0000-0x00000000020C6000-memory.dmp

Filesize
24KB

Download