4c7247767e5ebc7686d87a12f0144da13932fc7feb3679ba2ffac8a245a32404

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10-07-2024 22:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-10_60ead0f6ce2539bda11223b91426e4ae_cryptolocker.exe
Size

68KB
MD5

60ead0f6ce2539bda11223b91426e4ae
SHA1

c2dd56e4b518be7521912dfe3a5115a4c263bb84
SHA256

4c7247767e5ebc7686d87a12f0144da13932fc7feb3679ba2ffac8a245a32404
SHA512

3145085fd8462461476ad4f604c1be8a1261b275c89a06aed4d9a0de45dffe5413a31e2bb5119293c16c0a9ca1deff0d36772c0bf6d101c0449e0675ce8d2058
SSDEEP

1536:o1KhxqwtdgI2MyzNORQtOflIwoHNV2XBFV72BOlA7ZszudnYTjipvF293vaRLEl:aq7tdgI2MyzNORQtOflIwoHNV2XBFV7N

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	2024-07-10_60ead0f6ce2539bda11223b91426e4ae_cryptolocker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	hurok.exe

Executes dropped EXE 1 IoCs

pid	Process
468	hurok.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1208 wrote to memory of 468	1208	2024-07-10_60ead0f6ce2539bda11223b91426e4ae_cryptolocker.exe	85
PID 1208 wrote to memory of 468	1208	2024-07-10_60ead0f6ce2539bda11223b91426e4ae_cryptolocker.exe	85
PID 1208 wrote to memory of 468	1208	2024-07-10_60ead0f6ce2539bda11223b91426e4ae_cryptolocker.exe	85

C:\Users\Admin\AppData\Local\Temp\2024-07-10_60ead0f6ce2539bda11223b91426e4ae_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-10_60ead0f6ce2539bda11223b91426e4ae_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1208
- C:\Users\Admin\AppData\Local\Temp\hurok.exe
  "C:\Users\Admin\AppData\Local\Temp\hurok.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hurok.exe

Filesize
68KB

MD5
3badbb3e88af0399197e5f7b098303a4

SHA1
3be7244d9b91d049de465aabb9ed883022add315

SHA256
605d3052603954a29c90109677747e11d4953e35e2cfc00a993eba8538855ce8

SHA512
68238cd924b68686725e8c829bd7b0281fb12d421547d4fa1e84ad1c1fa19742b5235d074445a0071b2d7eace7a2873f9b609926332c4f5dd5cd824f02e55245

Download Submit
memory/468-25-0x0000000000480000-0x0000000000486000-memory.dmp

Filesize
24KB

Download
memory/1208-0-0x00000000006E0000-0x00000000006E6000-memory.dmp

Filesize
24KB

Download
memory/1208-1-0x00000000006E0000-0x00000000006E6000-memory.dmp

Filesize
24KB

Download
memory/1208-2-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download