1915f625bee6f35398c5bdc933af3435e40a7da91557703f56f8b20a7a538022

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
23-07-2024 13:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-23_e602003b2ad117b36b32c7cadc28dfbe_cryptolocker.exe
Size

66KB
MD5

e602003b2ad117b36b32c7cadc28dfbe
SHA1

7e686cdc8dd43b87e021909301bfbfe0123074cb
SHA256

1915f625bee6f35398c5bdc933af3435e40a7da91557703f56f8b20a7a538022
SHA512

4f53e91a33fbd2353870393d84093d8e0ce8ce784f428d9f1a13f3335a6fc7ec8a270608e3241db89a1f52721e4a97abc54d813da42c801ef2920809de10b1e8
SSDEEP

1536:o1KhxqwtdgI2MyzNORQtOflIwoHNV2XBFV72BOlA7ZszudnYTjipvF293W7:aq7tdgI2MyzNORQtOflIwoHNV2XBFV7M

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	2024-07-23_e602003b2ad117b36b32c7cadc28dfbe_cryptolocker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	hurok.exe

Executes dropped EXE 1 IoCs

pid	Process
2416	hurok.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3076 wrote to memory of 2416	3076	2024-07-23_e602003b2ad117b36b32c7cadc28dfbe_cryptolocker.exe	84
PID 3076 wrote to memory of 2416	3076	2024-07-23_e602003b2ad117b36b32c7cadc28dfbe_cryptolocker.exe	84
PID 3076 wrote to memory of 2416	3076	2024-07-23_e602003b2ad117b36b32c7cadc28dfbe_cryptolocker.exe	84

C:\Users\Admin\AppData\Local\Temp\2024-07-23_e602003b2ad117b36b32c7cadc28dfbe_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-23_e602003b2ad117b36b32c7cadc28dfbe_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3076
- C:\Users\Admin\AppData\Local\Temp\hurok.exe
  "C:\Users\Admin\AppData\Local\Temp\hurok.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:2416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hurok.exe

Filesize
66KB

MD5
76c804b46debea18191247b97109dccc

SHA1
89c5ce251105ec096c63552f277db8407478d04b

SHA256
a0ab1b21d2d7470a421d67d15f32f2b47d4a5f801fbcde5ba403336927ad75ce

SHA512
fa73ad99fefe8997ac3fa1c21407f1a6ea612cb075b09fc887455a39ff4be4d87260bb05dcab06fc8bea2618e08d1c28b40ac6b22e8400ca144001372d0ca8b3

Download Submit
memory/2416-25-0x0000000000550000-0x0000000000556000-memory.dmp

Filesize
24KB

Download
memory/3076-0-0x00000000005C0000-0x00000000005C6000-memory.dmp

Filesize
24KB

Download
memory/3076-1-0x00000000005C0000-0x00000000005C6000-memory.dmp

Filesize
24KB

Download
memory/3076-2-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download