1a3f707d8d2e00942ed6530d1db86311ea63dd2e3c022c6a747bff8489213fca

Analysis

max time kernel
151s
max time network
154s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
06/08/2023, 15:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8c1c0b10b17febc64c16c9ffaa0453f9_cryptolocker_JC.exe
Size

52KB
MD5

8c1c0b10b17febc64c16c9ffaa0453f9
SHA1

d7acf650acc20098fe73304a3dd945049d0f54e8
SHA256

1a3f707d8d2e00942ed6530d1db86311ea63dd2e3c022c6a747bff8489213fca
SHA512

fffa581d4158258c1f3e098f6760f983ea46d1069d07527f487ec700609fe494f0d51e72fa9abcb09f8eab1dc87a8a3a3c7b4187d49992f813b123c8f2568a61
SSDEEP

1536:o1KhxqwtdgI2MyzNORQtOflIwoHNV2XBFV72BOlA7ZszsbKY1xzp008c:aq7tdgI2MyzNORQtOflIwoHNV2XBFV76

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2908	hurok.exe

Loads dropped DLL 1 IoCs

pid	Process
2332	8c1c0b10b17febc64c16c9ffaa0453f9_cryptolocker_JC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2332	8c1c0b10b17febc64c16c9ffaa0453f9_cryptolocker_JC.exe
2908	hurok.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 2908	2332	8c1c0b10b17febc64c16c9ffaa0453f9_cryptolocker_JC.exe	28
PID 2332 wrote to memory of 2908	2332	8c1c0b10b17febc64c16c9ffaa0453f9_cryptolocker_JC.exe	28
PID 2332 wrote to memory of 2908	2332	8c1c0b10b17febc64c16c9ffaa0453f9_cryptolocker_JC.exe	28
PID 2332 wrote to memory of 2908	2332	8c1c0b10b17febc64c16c9ffaa0453f9_cryptolocker_JC.exe	28

C:\Users\Admin\AppData\Local\Temp\8c1c0b10b17febc64c16c9ffaa0453f9_cryptolocker_JC.exe
"C:\Users\Admin\AppData\Local\Temp\8c1c0b10b17febc64c16c9ffaa0453f9_cryptolocker_JC.exe"
1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Users\Admin\AppData\Local\Temp\hurok.exe
  "C:\Users\Admin\AppData\Local\Temp\hurok.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hurok.exe

Filesize
52KB

MD5
d8a8f577288646eb5f90c9404abc1b74

SHA1
c6b226fc7bf6ba1fcb4430835bc12a506a4eb383

SHA256
2f8ad0d3c5b89836ae10ea5e1bfaba04a90acccd7509a338b399b9f1980658d0

SHA512
de5a48e5cf38295394a12016d715f0752aa67d1a4d062df7c7c1d2d09c6eb92e07aafb10a76ee751d0418c728a9796e3b27bce6743a7db51571d7678b1e2f469

Download Submit
C:\Users\Admin\AppData\Local\Temp\hurok.exe

Filesize
52KB

MD5
d8a8f577288646eb5f90c9404abc1b74

SHA1
c6b226fc7bf6ba1fcb4430835bc12a506a4eb383

SHA256
2f8ad0d3c5b89836ae10ea5e1bfaba04a90acccd7509a338b399b9f1980658d0

SHA512
de5a48e5cf38295394a12016d715f0752aa67d1a4d062df7c7c1d2d09c6eb92e07aafb10a76ee751d0418c728a9796e3b27bce6743a7db51571d7678b1e2f469

Download Submit
\Users\Admin\AppData\Local\Temp\hurok.exe

Filesize
52KB

MD5
d8a8f577288646eb5f90c9404abc1b74

SHA1
c6b226fc7bf6ba1fcb4430835bc12a506a4eb383

SHA256
2f8ad0d3c5b89836ae10ea5e1bfaba04a90acccd7509a338b399b9f1980658d0

SHA512
de5a48e5cf38295394a12016d715f0752aa67d1a4d062df7c7c1d2d09c6eb92e07aafb10a76ee751d0418c728a9796e3b27bce6743a7db51571d7678b1e2f469

Download Submit
memory/2332-54-0x00000000002B0000-0x00000000002B6000-memory.dmp

Filesize
24KB

Download
memory/2332-55-0x00000000002B0000-0x00000000002B6000-memory.dmp

Filesize
24KB

Download
memory/2332-56-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2908-71-0x0000000000310000-0x0000000000316000-memory.dmp

Filesize
24KB

Download