719a300af880ba3e25c8c126d5d6a3fedb090014fc5e7deac292f90d4d6362a6

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29-08-2024 08:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-29_a8c7473da920c47c0e342e60b2279394_cryptolocker.exe
Size

65KB
MD5

a8c7473da920c47c0e342e60b2279394
SHA1

a1db0cd947cf230b5cf7cd4421f21f56a11b099a
SHA256

719a300af880ba3e25c8c126d5d6a3fedb090014fc5e7deac292f90d4d6362a6
SHA512

5a8f01446d5ee07155e0f5190dc8afce450bd2ebde49784609b7801415aa15427132473b60d53664b3a5baf05322e775ee939de9558aabbce5d23ad99b8f2a8a
SSDEEP

1536:o1KhxqwtdgI2MyzNORQtOflIwoHNV2XBFV72BOlA7ZszudnYTjipvF293Wx:aq7tdgI2MyzNORQtOflIwoHNV2XBFV7a

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	2024-08-29_a8c7473da920c47c0e342e60b2279394_cryptolocker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	hurok.exe

Executes dropped EXE 1 IoCs

pid	Process
2128	hurok.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-29_a8c7473da920c47c0e342e60b2279394_cryptolocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hurok.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2992 wrote to memory of 2128	2992	2024-08-29_a8c7473da920c47c0e342e60b2279394_cryptolocker.exe	85
PID 2992 wrote to memory of 2128	2992	2024-08-29_a8c7473da920c47c0e342e60b2279394_cryptolocker.exe	85
PID 2992 wrote to memory of 2128	2992	2024-08-29_a8c7473da920c47c0e342e60b2279394_cryptolocker.exe	85

C:\Users\Admin\AppData\Local\Temp\2024-08-29_a8c7473da920c47c0e342e60b2279394_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-29_a8c7473da920c47c0e342e60b2279394_cryptolocker.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2992
- C:\Users\Admin\AppData\Local\Temp\hurok.exe
  "C:\Users\Admin\AppData\Local\Temp\hurok.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hurok.exe

Filesize
65KB

MD5
71868b0005a1fa47fecab115a8fd3a8e

SHA1
7b99ff59c6f9a12a73b853c059c747ca38784b30

SHA256
d32a88b5fc39f80fe06d9d6b816fb80da9dd16f50eb4c45c71e02c40aa0a3ec4

SHA512
c5f12544a77da018f7333d48b44e4ffd3c267b2889d4e37bb82fb03568b7ff6daa826ed6850d9787fe18e169593e25e6352cc9169446a0ffcc6bdea6dd8b49c6

Download Submit
memory/2128-19-0x0000000000590000-0x0000000000596000-memory.dmp

Filesize
24KB

Download
memory/2992-0-0x0000000000560000-0x0000000000566000-memory.dmp

Filesize
24KB

Download
memory/2992-1-0x0000000000560000-0x0000000000566000-memory.dmp

Filesize
24KB

Download
memory/2992-2-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download