4aacdfc565fb4a5424c344496e3cfe706bee7ebb0de7a6c6ed40a7273ede7be1

Analysis

max time kernel
152s
max time network
168s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
11/01/2024, 05:53

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-01-10_96335a8590fc60100e68b9e3b1761e74_cryptolocker.exe
Size

59KB
MD5

96335a8590fc60100e68b9e3b1761e74
SHA1

21f342f472606ead4bf72a236e93835914b48e9d
SHA256

4aacdfc565fb4a5424c344496e3cfe706bee7ebb0de7a6c6ed40a7273ede7be1
SHA512

f6f3fd9cf806b347c489c440a477411827e8a6726adb97a6150a25c48d8a2d636886ac2d0660797e8b1bd721e80a12fb9e93679e3d4e58d02cb89f52e68b6e28
SSDEEP

1536:o1KhxqwtdgI2MyzNORQtOflIwoHNV2XBFV72BOlA7ZszsbKY1x/9lfL+gniDSAr:aq7tdgI2MyzNORQtOflIwoHNV2XBFV7v

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2200	hurok.exe

Loads dropped DLL 1 IoCs

pid	Process
1872	2024-01-10_96335a8590fc60100e68b9e3b1761e74_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1872	2024-01-10_96335a8590fc60100e68b9e3b1761e74_cryptolocker.exe
2200	hurok.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1872 wrote to memory of 2200	1872	2024-01-10_96335a8590fc60100e68b9e3b1761e74_cryptolocker.exe	28
PID 1872 wrote to memory of 2200	1872	2024-01-10_96335a8590fc60100e68b9e3b1761e74_cryptolocker.exe	28
PID 1872 wrote to memory of 2200	1872	2024-01-10_96335a8590fc60100e68b9e3b1761e74_cryptolocker.exe	28
PID 1872 wrote to memory of 2200	1872	2024-01-10_96335a8590fc60100e68b9e3b1761e74_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-01-10_96335a8590fc60100e68b9e3b1761e74_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-10_96335a8590fc60100e68b9e3b1761e74_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1872
- C:\Users\Admin\AppData\Local\Temp\hurok.exe
  "C:\Users\Admin\AppData\Local\Temp\hurok.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\hurok.exe

Filesize
60KB

MD5
f4c27f23cb9d9bf6d966aa558d7daebe

SHA1
bdf7d5a738992af1ae31f8f7a6514c60b43c9b3b

SHA256
963bfb2f1ce3a1b9ceaa6d6da6637cd13f05680185d9c003a3178add238e00f0

SHA512
19765068b12b13ece78c5018c19d7874eb66ffdc8b3024a5a3803e9cd71ca7fc3c5e7edc0ee6872cc3e5f426744a4a12e999cf6a7faaf7efe5124f6e070df236

Download Submit
memory/1872-0-0x00000000003B0000-0x00000000003B6000-memory.dmp

Filesize
24KB

Download
memory/1872-1-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1872-3-0x00000000003B0000-0x00000000003B6000-memory.dmp

Filesize
24KB

Download
memory/2200-17-0x0000000000230000-0x0000000000236000-memory.dmp

Filesize
24KB

Download