d1a814ada7802345d0d5985443284d479005c8422781da8e2f3b83b7debb0e65

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
15/08/2023, 17:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fbae1b8d598ba5c42a73205258b37bec_cryptolocker_JC.exe
Size

52KB
MD5

fbae1b8d598ba5c42a73205258b37bec
SHA1

c12d25615ae9535c6c31c7491df645b18d2ba614
SHA256

d1a814ada7802345d0d5985443284d479005c8422781da8e2f3b83b7debb0e65
SHA512

a49e1e2fad2a29d4d26f9e3c357303c862baf9fbbe0c3ab4fbf57f3c3cfd433230af1dd984a9c417d51593fbc11c98389a0a09630991d8db9ebf6fcab41989f6
SSDEEP

1536:o1KhxqwtdgI2MyzNORQtOflIwoHNV2XBFV72BOlA7ZszsbKY1xzp0oj67H:aq7tdgI2MyzNORQtOflIwoHNV2XBFV7L

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2356	hurok.exe

Loads dropped DLL 1 IoCs

pid	Process
2560	fbae1b8d598ba5c42a73205258b37bec_cryptolocker_JC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2560	fbae1b8d598ba5c42a73205258b37bec_cryptolocker_JC.exe
2356	hurok.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2560 wrote to memory of 2356	2560	fbae1b8d598ba5c42a73205258b37bec_cryptolocker_JC.exe	28
PID 2560 wrote to memory of 2356	2560	fbae1b8d598ba5c42a73205258b37bec_cryptolocker_JC.exe	28
PID 2560 wrote to memory of 2356	2560	fbae1b8d598ba5c42a73205258b37bec_cryptolocker_JC.exe	28
PID 2560 wrote to memory of 2356	2560	fbae1b8d598ba5c42a73205258b37bec_cryptolocker_JC.exe	28

C:\Users\Admin\AppData\Local\Temp\fbae1b8d598ba5c42a73205258b37bec_cryptolocker_JC.exe
"C:\Users\Admin\AppData\Local\Temp\fbae1b8d598ba5c42a73205258b37bec_cryptolocker_JC.exe"
1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2560
- C:\Users\Admin\AppData\Local\Temp\hurok.exe
  "C:\Users\Admin\AppData\Local\Temp\hurok.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hurok.exe

Filesize
53KB

MD5
0b7ec31b138262b0bddc19fec7c89086

SHA1
3817c85463dd867f6262a7e1fb6ea1c6cbb26e56

SHA256
4108d3ec28536ae5d887ac223f0b5ffdac18d8e981b7928702606e89c94ef2b0

SHA512
eb9491fa89b09de449dbf07b3ce9decdc58d1a415052b580db98d87bc7e3e324a67fa0263cfee08307ddf5c94dd5c0465563bd056db192e6b507fa00516cf597

Download Submit
C:\Users\Admin\AppData\Local\Temp\hurok.exe

Filesize
53KB

MD5
0b7ec31b138262b0bddc19fec7c89086

SHA1
3817c85463dd867f6262a7e1fb6ea1c6cbb26e56

SHA256
4108d3ec28536ae5d887ac223f0b5ffdac18d8e981b7928702606e89c94ef2b0

SHA512
eb9491fa89b09de449dbf07b3ce9decdc58d1a415052b580db98d87bc7e3e324a67fa0263cfee08307ddf5c94dd5c0465563bd056db192e6b507fa00516cf597

Download Submit
\Users\Admin\AppData\Local\Temp\hurok.exe

Filesize
53KB

MD5
0b7ec31b138262b0bddc19fec7c89086

SHA1
3817c85463dd867f6262a7e1fb6ea1c6cbb26e56

SHA256
4108d3ec28536ae5d887ac223f0b5ffdac18d8e981b7928702606e89c94ef2b0

SHA512
eb9491fa89b09de449dbf07b3ce9decdc58d1a415052b580db98d87bc7e3e324a67fa0263cfee08307ddf5c94dd5c0465563bd056db192e6b507fa00516cf597

Download Submit
memory/2356-71-0x00000000001C0000-0x00000000001C6000-memory.dmp

Filesize
24KB

Download
memory/2560-54-0x0000000000230000-0x0000000000236000-memory.dmp

Filesize
24KB

Download
memory/2560-55-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2560-56-0x0000000000230000-0x0000000000236000-memory.dmp

Filesize
24KB

Download