916a7f15e3e87541a2d8940da92e009fde31a221e3f8c20a7547c0f2cdf3713c

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
08/08/2023, 15:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

983d4fc95daf943abb8fc91c347dd772_cryptolocker_JC.exe
Size

62KB
MD5

983d4fc95daf943abb8fc91c347dd772
SHA1

2f786048d56f201ec0e89193e6ef96678ba6ae52
SHA256

916a7f15e3e87541a2d8940da92e009fde31a221e3f8c20a7547c0f2cdf3713c
SHA512

9e435901214066948818efe5deb712cf7cafbec29bac7ff229c72a0c799f053f33ec8470e474e64a582afcbeafad0aa8479938070495dddc5edb0f0adbd5757e
SSDEEP

1536:o1KhxqwtdgI2MyzNORQtOflIwoHNV2XBFV72BOlA7ZszsbKY1x/9lfL+gniaKbH:aq7tdgI2MyzNORQtOflIwoHNV2XBFV7B

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2828	hurok.exe

Loads dropped DLL 1 IoCs

pid	Process
2328	983d4fc95daf943abb8fc91c347dd772_cryptolocker_JC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2328	983d4fc95daf943abb8fc91c347dd772_cryptolocker_JC.exe
2828	hurok.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 2828	2328	983d4fc95daf943abb8fc91c347dd772_cryptolocker_JC.exe	28
PID 2328 wrote to memory of 2828	2328	983d4fc95daf943abb8fc91c347dd772_cryptolocker_JC.exe	28
PID 2328 wrote to memory of 2828	2328	983d4fc95daf943abb8fc91c347dd772_cryptolocker_JC.exe	28
PID 2328 wrote to memory of 2828	2328	983d4fc95daf943abb8fc91c347dd772_cryptolocker_JC.exe	28

C:\Users\Admin\AppData\Local\Temp\983d4fc95daf943abb8fc91c347dd772_cryptolocker_JC.exe
"C:\Users\Admin\AppData\Local\Temp\983d4fc95daf943abb8fc91c347dd772_cryptolocker_JC.exe"
1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Users\Admin\AppData\Local\Temp\hurok.exe
  "C:\Users\Admin\AppData\Local\Temp\hurok.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hurok.exe

Filesize
62KB

MD5
0bebd9518d077cfd28431c575d5659ca

SHA1
57e04626456c007b618eb65954b03dfd10bdeab5

SHA256
e7ad4d2d28f1d5c25a269c11a76ee983cdef2fc837ce0f1b9f98935799b71add

SHA512
1f51cdcc2b945a3a0a825aa5dd3de7c6dbe87b3b7bbc975e018d8ed52ac9ff77289f74e399c35bb4f2acbdfcae3778220d17da8b52059d8075943471b4f3f120

Download Submit
C:\Users\Admin\AppData\Local\Temp\hurok.exe

Filesize
62KB

MD5
0bebd9518d077cfd28431c575d5659ca

SHA1
57e04626456c007b618eb65954b03dfd10bdeab5

SHA256
e7ad4d2d28f1d5c25a269c11a76ee983cdef2fc837ce0f1b9f98935799b71add

SHA512
1f51cdcc2b945a3a0a825aa5dd3de7c6dbe87b3b7bbc975e018d8ed52ac9ff77289f74e399c35bb4f2acbdfcae3778220d17da8b52059d8075943471b4f3f120

Download Submit
\Users\Admin\AppData\Local\Temp\hurok.exe

Filesize
62KB

MD5
0bebd9518d077cfd28431c575d5659ca

SHA1
57e04626456c007b618eb65954b03dfd10bdeab5

SHA256
e7ad4d2d28f1d5c25a269c11a76ee983cdef2fc837ce0f1b9f98935799b71add

SHA512
1f51cdcc2b945a3a0a825aa5dd3de7c6dbe87b3b7bbc975e018d8ed52ac9ff77289f74e399c35bb4f2acbdfcae3778220d17da8b52059d8075943471b4f3f120

Download Submit
memory/2328-54-0x0000000000230000-0x0000000000236000-memory.dmp

Filesize
24KB

Download
memory/2328-56-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2328-55-0x0000000000230000-0x0000000000236000-memory.dmp

Filesize
24KB

Download