ccb734816af02f716fad031be9432fa9ff100142fadab7d4dc701cbaeb07463a

Analysis

max time kernel
0s
max time network
143s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
05/01/2024, 05:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-01_10217eb7377634c92bb645368d2a2b59_cryptolocker.exe
Size

43KB
MD5

10217eb7377634c92bb645368d2a2b59
SHA1

70d5d4d6cb469f84c51e3e6441d5891bf36f077b
SHA256

ccb734816af02f716fad031be9432fa9ff100142fadab7d4dc701cbaeb07463a
SHA512

2600b88786b834b82badd6e6fe2735b6f7bb110959c0a74317de62909e470deffee28c89e71baf6efe03c0f30eff4acf2698cae2349c93d4297993d6076b320a
SSDEEP

768:Kf1K2exg2kBwtdgI2MyzNORQtOflIwoHNV2XBFV72BOlA7ZsBGGpebVIYLHA3Kxh:o1KhxqwtdgI2MyzNORQtOflIwoHNV2XY

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2264	hurok.exe

Loads dropped DLL 1 IoCs

pid	Process
2008	2024-01-01_10217eb7377634c92bb645368d2a2b59_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2008	2024-01-01_10217eb7377634c92bb645368d2a2b59_cryptolocker.exe
2264	hurok.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 2264	2008	2024-01-01_10217eb7377634c92bb645368d2a2b59_cryptolocker.exe	14
PID 2008 wrote to memory of 2264	2008	2024-01-01_10217eb7377634c92bb645368d2a2b59_cryptolocker.exe	14
PID 2008 wrote to memory of 2264	2008	2024-01-01_10217eb7377634c92bb645368d2a2b59_cryptolocker.exe	14
PID 2008 wrote to memory of 2264	2008	2024-01-01_10217eb7377634c92bb645368d2a2b59_cryptolocker.exe	14

C:\Users\Admin\AppData\Local\Temp\hurok.exe
"C:\Users\Admin\AppData\Local\Temp\hurok.exe"
1⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:2264

C:\Users\Admin\AppData\Local\Temp\2024-01-01_10217eb7377634c92bb645368d2a2b59_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-01_10217eb7377634c92bb645368d2a2b59_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hurok.exe

Filesize
27KB

MD5
b37e25dfbd749d05adedcb13301bbb33

SHA1
986f6249bb96c97470d986c97f2b34575dcd6b62

SHA256
e4c02682462f4d28b2fa3279d52e80c5fc83c7597b4e24c759642e61d961f981

SHA512
b5c2588c828c86bb5f4a9760fb5065a858f95e0d21c5b3a54d889579062f16dad1e59da0729359ea196bed8ce36365910703832845168572681ca6cb57476725

Download Submit
C:\Users\Admin\AppData\Local\Temp\hurok.exe

Filesize
1KB

MD5
829984de45aafe680eb9766631bdaf7d

SHA1
41b0c2f8b517d1c2b517ba5cc4299ba7d35b2e14

SHA256
6a9eb28d7c8d2d0ff883db4d99afc8a0c3460aeab5e5c47018961fe61298af45

SHA512
1564f1740ad67245509771f56ba1d8fdc6e49fa63e99403a9cc5fac9dbc0c96c21cf5f9a2afcbd146d9242b03d24b2b32f09790bd2f469a5f8d89a7d20fdc4be

Download Submit
memory/2008-8-0x0000000000230000-0x0000000000236000-memory.dmp

Filesize
24KB

Download
memory/2008-1-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2008-0-0x0000000000230000-0x0000000000236000-memory.dmp

Filesize
24KB

Download
memory/2264-23-0x00000000002B0000-0x00000000002B6000-memory.dmp

Filesize
24KB

Download