189ff11339724ba04d11c4632624ad00154dbc40f028b7f1665ca30e0dad46c8

Analysis

max time kernel
0s
max time network
147s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
09-01-2024 06:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-08_678c6ebdf17922d5578d2db3e672347d_cryptolocker.exe
Size

60KB
MD5

678c6ebdf17922d5578d2db3e672347d
SHA1

21255d4c44baa190d094900e8439345f85935438
SHA256

189ff11339724ba04d11c4632624ad00154dbc40f028b7f1665ca30e0dad46c8
SHA512

fe8188d2dfb6b5d2be2af3f0f710a6a3ea00f3ac3c0e1e6c8c8d53946982dbf9890096c814313c0bf5024ba33badbf1a38502d6f63163f45246e01418b8dc4ff
SSDEEP

1536:o1KhxqwtdgI2MyzNORQtOflIwoHNV2XBFV72BOlA7ZszsbKY1x/9lfL+gniDSq:aq7tdgI2MyzNORQtOflIwoHNV2XBFV7H

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1876	hurok.exe

Loads dropped DLL 1 IoCs

pid	Process
2544	2024-01-08_678c6ebdf17922d5578d2db3e672347d_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2544	2024-01-08_678c6ebdf17922d5578d2db3e672347d_cryptolocker.exe
1876	hurok.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2544 wrote to memory of 1876	2544	2024-01-08_678c6ebdf17922d5578d2db3e672347d_cryptolocker.exe	15
PID 2544 wrote to memory of 1876	2544	2024-01-08_678c6ebdf17922d5578d2db3e672347d_cryptolocker.exe	15
PID 2544 wrote to memory of 1876	2544	2024-01-08_678c6ebdf17922d5578d2db3e672347d_cryptolocker.exe	15
PID 2544 wrote to memory of 1876	2544	2024-01-08_678c6ebdf17922d5578d2db3e672347d_cryptolocker.exe	15

C:\Users\Admin\AppData\Local\Temp\2024-01-08_678c6ebdf17922d5578d2db3e672347d_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-08_678c6ebdf17922d5578d2db3e672347d_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2544
- C:\Users\Admin\AppData\Local\Temp\hurok.exe
  "C:\Users\Admin\AppData\Local\Temp\hurok.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:1876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hurok.exe

Filesize
1KB

MD5
829984de45aafe680eb9766631bdaf7d

SHA1
41b0c2f8b517d1c2b517ba5cc4299ba7d35b2e14

SHA256
6a9eb28d7c8d2d0ff883db4d99afc8a0c3460aeab5e5c47018961fe61298af45

SHA512
1564f1740ad67245509771f56ba1d8fdc6e49fa63e99403a9cc5fac9dbc0c96c21cf5f9a2afcbd146d9242b03d24b2b32f09790bd2f469a5f8d89a7d20fdc4be

Download Submit
C:\Users\Admin\AppData\Local\Temp\hurok.exe

Filesize
16KB

MD5
bd30fe48bbb8d7a4c2e10e9ffaeaeea2

SHA1
41d6ea5f888b86d0790cdf5faf598570b0699182

SHA256
288d9d2258d74c32fcdbf7897f258187f9233c0a2145243322aeca0b47ddb535

SHA512
c951d4efddd9cb7dcbd1d949f43b1de8b48b9d9d8777bedbff5aa0ec37e6f8abc7ce5bf7d5a003ce3c0ef9756bec6cd5cf244e76d72b29075318157393675b18

Download Submit
\Users\Admin\AppData\Local\Temp\hurok.exe

Filesize
49KB

MD5
bc0dd7319ad467a1e7491d7a3ca42eeb

SHA1
fec967ef1b3326c87deb6a4b4af86a6d560ada1a

SHA256
4264497db29d23594b87b9c1082c5aa8e92881cf4eadd0d7567e7f4e17ca5270

SHA512
df693c2375c10ab123b4ec808a0f316822dc4ba5a39c2351ab9caedcea36b24e51cf497dbd295b8a2623267f1cf929165a47a08f7d28eefbf382ab72227a4299

Download Submit
memory/1876-21-0x0000000000230000-0x0000000000236000-memory.dmp

Filesize
24KB

Download
memory/2544-0-0x00000000002B0000-0x00000000002B6000-memory.dmp

Filesize
24KB

Download
memory/2544-7-0x00000000002B0000-0x00000000002B6000-memory.dmp

Filesize
24KB

Download
memory/2544-1-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download