607552944fb6d7e0c2731d0fe85965529efe3446c905b19f6d504bdee6a5044c

Analysis

max time kernel
151s
max time network
166s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
10-01-2024 05:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-09_31a9283986bfad1bb83f1d59139d72a6_cryptolocker.exe
Size

61KB
MD5

31a9283986bfad1bb83f1d59139d72a6
SHA1

f8116fcb085a382017974f39d4d598e181cc0ae1
SHA256

607552944fb6d7e0c2731d0fe85965529efe3446c905b19f6d504bdee6a5044c
SHA512

cb98a89eeeb96fcbf9b562e64fe7f62399b60b9d42270b108d6f72ebdcf942eb71cc317b518c1033a126941b180ba010588ba0e39df04e1bd2fa733f2711e5c6
SSDEEP

1536:o1KhxqwtdgI2MyzNORQtOflIwoHNV2XBFV72BOlA7ZszudnYTjipvF2934:aq7tdgI2MyzNORQtOflIwoHNV2XBFV72

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2676	hurok.exe

Loads dropped DLL 1 IoCs

pid	Process
1752	2024-01-09_31a9283986bfad1bb83f1d59139d72a6_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1752	2024-01-09_31a9283986bfad1bb83f1d59139d72a6_cryptolocker.exe
2676	hurok.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1752 wrote to memory of 2676	1752	2024-01-09_31a9283986bfad1bb83f1d59139d72a6_cryptolocker.exe	28
PID 1752 wrote to memory of 2676	1752	2024-01-09_31a9283986bfad1bb83f1d59139d72a6_cryptolocker.exe	28
PID 1752 wrote to memory of 2676	1752	2024-01-09_31a9283986bfad1bb83f1d59139d72a6_cryptolocker.exe	28
PID 1752 wrote to memory of 2676	1752	2024-01-09_31a9283986bfad1bb83f1d59139d72a6_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-01-09_31a9283986bfad1bb83f1d59139d72a6_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-09_31a9283986bfad1bb83f1d59139d72a6_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1752
- C:\Users\Admin\AppData\Local\Temp\hurok.exe
  "C:\Users\Admin\AppData\Local\Temp\hurok.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\hurok.exe

Filesize
61KB

MD5
1f0fe792064e0eea69bd698e41b20c7c

SHA1
47c6470e14148a6d942a67599d344a3db131f91b

SHA256
ca446a69f3122decd65fef3ba18b27a6d4b4b883b08690a59123c2e987ab8b64

SHA512
ee8b2b06460f5be7f6291b37e6236b46cb1acb02d730430359693082a05fed0c3b954cf503d9aea60e0c903b4b98c528952e0fca0ad5939a1da2d815261f3dc0

Download Submit
memory/1752-0-0x00000000002B0000-0x00000000002B6000-memory.dmp

Filesize
24KB

Download
memory/1752-1-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1752-3-0x00000000002B0000-0x00000000002B6000-memory.dmp

Filesize
24KB

Download