Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
27-08-2023 16:01
Static task
static1
Behavioral task
behavioral1
Sample
b0529bf084cdfb502844cde27a97fa3d_cryptolocker_JC.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
b0529bf084cdfb502844cde27a97fa3d_cryptolocker_JC.exe
Resource
win10v2004-20230703-en
General
-
Target
b0529bf084cdfb502844cde27a97fa3d_cryptolocker_JC.exe
-
Size
56KB
-
MD5
b0529bf084cdfb502844cde27a97fa3d
-
SHA1
5c8fad688a70557f1dccc741247c7a9badf4d58d
-
SHA256
a4fb4ab5c310c8fb7953dbffca337f312875cd8c13b29db422298781b4c64db0
-
SHA512
c90690f1a1a09e6a98692595eff0ecaec268eb7a2a4c1c70d71dec3c0bdd5340e16e9da017c9e4152f9e9e1b9747f9dff1aeb137cfb14831a9ba39509e5ccd46
-
SSDEEP
1536:o1KhxqwtdgI2MyzNORQtOflIwoHNV2XBFV72BOlA7ZszsbKY1x/9lfL+gniDS2:aq7tdgI2MyzNORQtOflIwoHNV2XBFV7T
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2836 hurok.exe -
Loads dropped DLL 1 IoCs
pid Process 2248 b0529bf084cdfb502844cde27a97fa3d_cryptolocker_JC.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2248 b0529bf084cdfb502844cde27a97fa3d_cryptolocker_JC.exe 2836 hurok.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2248 wrote to memory of 2836 2248 b0529bf084cdfb502844cde27a97fa3d_cryptolocker_JC.exe 28 PID 2248 wrote to memory of 2836 2248 b0529bf084cdfb502844cde27a97fa3d_cryptolocker_JC.exe 28 PID 2248 wrote to memory of 2836 2248 b0529bf084cdfb502844cde27a97fa3d_cryptolocker_JC.exe 28 PID 2248 wrote to memory of 2836 2248 b0529bf084cdfb502844cde27a97fa3d_cryptolocker_JC.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\b0529bf084cdfb502844cde27a97fa3d_cryptolocker_JC.exe"C:\Users\Admin\AppData\Local\Temp\b0529bf084cdfb502844cde27a97fa3d_cryptolocker_JC.exe"1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Users\Admin\AppData\Local\Temp\hurok.exe"C:\Users\Admin\AppData\Local\Temp\hurok.exe"2⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:2836
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
56KB
MD5b8b4deb96fc29ebdd5e3ec04ed474356
SHA17787ef3bf85893e0bc36ec87d10a207d7d744974
SHA256b7a7dc47384e854255b6bb3db3ef201ae96fc1966a5ff0ccf40afbce5293bb69
SHA5127c61126e797e655429d2701f20466f97cdc4cadb0ce21d9e9db99e76fdfd1df002aa20792370e74480ce1f0ef3ec927e1a18de95611bca1b51e4f86505cbe26d
-
Filesize
56KB
MD5b8b4deb96fc29ebdd5e3ec04ed474356
SHA17787ef3bf85893e0bc36ec87d10a207d7d744974
SHA256b7a7dc47384e854255b6bb3db3ef201ae96fc1966a5ff0ccf40afbce5293bb69
SHA5127c61126e797e655429d2701f20466f97cdc4cadb0ce21d9e9db99e76fdfd1df002aa20792370e74480ce1f0ef3ec927e1a18de95611bca1b51e4f86505cbe26d
-
Filesize
56KB
MD5b8b4deb96fc29ebdd5e3ec04ed474356
SHA17787ef3bf85893e0bc36ec87d10a207d7d744974
SHA256b7a7dc47384e854255b6bb3db3ef201ae96fc1966a5ff0ccf40afbce5293bb69
SHA5127c61126e797e655429d2701f20466f97cdc4cadb0ce21d9e9db99e76fdfd1df002aa20792370e74480ce1f0ef3ec927e1a18de95611bca1b51e4f86505cbe26d