b645eb7372b010794b3dfbbd3f6b23fa69620dc1a72d95c88d986d6e457b3119

Analysis

max time kernel
143s
max time network
146s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
04/01/2024, 15:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-03_1eb7d5f01066e7904c824cd70d88408d_cryptolocker.exe
Size

36KB
MD5

1eb7d5f01066e7904c824cd70d88408d
SHA1

ea3bd4a88de52579103c454e6ae02fc0347cfc71
SHA256

b645eb7372b010794b3dfbbd3f6b23fa69620dc1a72d95c88d986d6e457b3119
SHA512

46673d93029b5dc9d738e90a5c1c0b90b954afc5c3c96cfca627455769cfd4536aabbac958571f57e46b36c892c9dc7ddd68301bd340a9a83e3cb1cac9656fb9
SSDEEP

768:Kf1K2exg2kBwtdgI2MyzNORQtOflIwoHNV2XBFV72BOlA7ZsBGGpNEmNOmnQBDna:o1KhxqwtdgI2MyzNORQtOflIwoHNV2X7

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
964	hurok.exe

Loads dropped DLL 1 IoCs

pid	Process
2420	2024-01-03_1eb7d5f01066e7904c824cd70d88408d_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2420	2024-01-03_1eb7d5f01066e7904c824cd70d88408d_cryptolocker.exe
964	hurok.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 964	2420	2024-01-03_1eb7d5f01066e7904c824cd70d88408d_cryptolocker.exe	28
PID 2420 wrote to memory of 964	2420	2024-01-03_1eb7d5f01066e7904c824cd70d88408d_cryptolocker.exe	28
PID 2420 wrote to memory of 964	2420	2024-01-03_1eb7d5f01066e7904c824cd70d88408d_cryptolocker.exe	28
PID 2420 wrote to memory of 964	2420	2024-01-03_1eb7d5f01066e7904c824cd70d88408d_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-01-03_1eb7d5f01066e7904c824cd70d88408d_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-03_1eb7d5f01066e7904c824cd70d88408d_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Users\Admin\AppData\Local\Temp\hurok.exe
  "C:\Users\Admin\AppData\Local\Temp\hurok.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\hurok.exe

Filesize
36KB

MD5
3b2fc6858ad6ba1d795c69d5464291bb

SHA1
8791ef8cada89472d14797a7a9131298e2eda0f0

SHA256
7e400e7ce558678287ff17b89689afa277615f4b1fb807f8f6e10e3d700c0d1b

SHA512
8fb6986b04421b70b59b0c51541ef2941944816d46b7daccda0bc3851c4783b01c6310b10873d9f14c4a8bcaa2c97563aa3e5d6b964b9057bccf98d673fc79c8

Download Submit
memory/964-17-0x0000000000230000-0x0000000000236000-memory.dmp

Filesize
24KB

Download
memory/2420-0-0x0000000000310000-0x0000000000316000-memory.dmp

Filesize
24KB

Download
memory/2420-1-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2420-8-0x0000000000310000-0x0000000000316000-memory.dmp

Filesize
24KB

Download