48ab9b0ad07dc4df05642f9e2c02a030577f5d31e441c1932c5da68c31c327bf

Analysis

max time kernel
0s
max time network
151s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
04-01-2024 15:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-03_4aaf424ab249039b792e8e11034450a3_cryptolocker.exe
Size

36KB
MD5

4aaf424ab249039b792e8e11034450a3
SHA1

2cd07998ce982a0581500497c79124ebeb71b2fb
SHA256

48ab9b0ad07dc4df05642f9e2c02a030577f5d31e441c1932c5da68c31c327bf
SHA512

96bd4597bed6f6c23fa45c4628769da3fb49f8dfa7f9ac580e37fcb6baf5124491b6f790d003df304bd4281cb98c222ab28ff1f404e31efce1dd522fa8b43eca
SSDEEP

768:Kf1K2exg2kBwtdgI2MyzNORQtOflIwoHNV2XBFV72BOlA7ZsBGGpNEmNOmnQBDny:o1KhxqwtdgI2MyzNORQtOflIwoHNV2Xb

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2708	hurok.exe

Loads dropped DLL 1 IoCs

pid	Process
1960	2024-01-03_4aaf424ab249039b792e8e11034450a3_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1960	2024-01-03_4aaf424ab249039b792e8e11034450a3_cryptolocker.exe
2708	hurok.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 2708	1960	2024-01-03_4aaf424ab249039b792e8e11034450a3_cryptolocker.exe	28
PID 1960 wrote to memory of 2708	1960	2024-01-03_4aaf424ab249039b792e8e11034450a3_cryptolocker.exe	28
PID 1960 wrote to memory of 2708	1960	2024-01-03_4aaf424ab249039b792e8e11034450a3_cryptolocker.exe	28
PID 1960 wrote to memory of 2708	1960	2024-01-03_4aaf424ab249039b792e8e11034450a3_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-01-03_4aaf424ab249039b792e8e11034450a3_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-03_4aaf424ab249039b792e8e11034450a3_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Users\Admin\AppData\Local\Temp\hurok.exe
  "C:\Users\Admin\AppData\Local\Temp\hurok.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\hurok.exe

Filesize
36KB

MD5
0a9bb56bea1cbbc851c0c4c2a4dd670f

SHA1
e2f5d2b9be4193fed8f5a81598d2585d1965e9a1

SHA256
fcb1e846bde731b49e2c0cb70d3cb224c03424089f772b6bfeba2dca0d8e99f0

SHA512
b7f9c6c8f97abc7248a6cd60a5ce80825d41251a659ec5a43c786c9dab709dd93a9f67e596d97575cb2657a477260641321cce9e8ced9d689054696114c692f3

Download Submit
memory/1960-0-0x0000000000230000-0x0000000000236000-memory.dmp

Filesize
24KB

Download
memory/1960-1-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1960-8-0x0000000000230000-0x0000000000236000-memory.dmp

Filesize
24KB

Download
memory/2708-23-0x00000000002F0000-0x00000000002F6000-memory.dmp

Filesize
24KB

Download