43e4d477ca4321f1d1aca355f9c582ce8a45ccd1b5202183fe0858b760ac1130

Analysis

max time kernel
149s
max time network
155s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
18-01-2024 23:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-18_da01eebe2cf63f41af0f45c730aca17b_cryptolocker.exe
Size

42KB
MD5

da01eebe2cf63f41af0f45c730aca17b
SHA1

91a2f07fb117fd433e17bccb7e4f752a861b1a76
SHA256

43e4d477ca4321f1d1aca355f9c582ce8a45ccd1b5202183fe0858b760ac1130
SHA512

4e113c52c75166c07d4f8a8d3e8fb76b6526cae740610c22f85b0c646189aa22c8fd3eb9e1c6c86b1ab81faab4afd5d5c477b512a48f712ae43a5fdb979c7f2a
SSDEEP

768:Kf1K2exg2kBwtdgI2MyzNORQtOflIwoHNV2XBFV72BOlA7ZsBGGpebVIYLHA3Kxo:o1KhxqwtdgI2MyzNORQtOflIwoHNV2XB

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 2 IoCs

resource	yara_rule
behavioral1/files/0x0009000000012266-13.dat	CryptoLocker_rule2
behavioral1/files/0x0009000000012266-22.dat	CryptoLocker_rule2

Detection of Cryptolocker Samples 2 IoCs

resource	yara_rule
behavioral1/files/0x0009000000012266-13.dat	CryptoLocker_set1
behavioral1/files/0x0009000000012266-22.dat	CryptoLocker_set1

Executes dropped EXE 1 IoCs

pid	Process
2692	hurok.exe

Loads dropped DLL 1 IoCs

pid	Process
2964	2024-01-18_da01eebe2cf63f41af0f45c730aca17b_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2964	2024-01-18_da01eebe2cf63f41af0f45c730aca17b_cryptolocker.exe
2692	hurok.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2964 wrote to memory of 2692	2964	2024-01-18_da01eebe2cf63f41af0f45c730aca17b_cryptolocker.exe	19
PID 2964 wrote to memory of 2692	2964	2024-01-18_da01eebe2cf63f41af0f45c730aca17b_cryptolocker.exe	19
PID 2964 wrote to memory of 2692	2964	2024-01-18_da01eebe2cf63f41af0f45c730aca17b_cryptolocker.exe	19
PID 2964 wrote to memory of 2692	2964	2024-01-18_da01eebe2cf63f41af0f45c730aca17b_cryptolocker.exe	19

C:\Users\Admin\AppData\Local\Temp\2024-01-18_da01eebe2cf63f41af0f45c730aca17b_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-18_da01eebe2cf63f41af0f45c730aca17b_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2964
- C:\Users\Admin\AppData\Local\Temp\hurok.exe
  "C:\Users\Admin\AppData\Local\Temp\hurok.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hurok.exe

Filesize
1KB

MD5
829984de45aafe680eb9766631bdaf7d

SHA1
41b0c2f8b517d1c2b517ba5cc4299ba7d35b2e14

SHA256
6a9eb28d7c8d2d0ff883db4d99afc8a0c3460aeab5e5c47018961fe61298af45

SHA512
1564f1740ad67245509771f56ba1d8fdc6e49fa63e99403a9cc5fac9dbc0c96c21cf5f9a2afcbd146d9242b03d24b2b32f09790bd2f469a5f8d89a7d20fdc4be

Download Submit
C:\Users\Admin\AppData\Local\Temp\hurok.exe

Filesize
42KB

MD5
668616eb4afb5056d697b1ec4b6d4020

SHA1
1280a7ea7121241da8586ffdeb5cde2297c17beb

SHA256
4e02e1cca029acfc3a7337324ff01d87b618bfee5a7f25407538c8a5247290ed

SHA512
0fb31f18ad59bb657fd8313100a906ddab960cb78dec9a95420cfa99dfe5710dde864c33b4399eb4a46556c5e3420e76d9f008c881768c50c4b2d9878d5e35bb

Download Submit
memory/2692-23-0x0000000000390000-0x0000000000396000-memory.dmp

Filesize
24KB

Download
memory/2964-0-0x0000000000230000-0x0000000000236000-memory.dmp

Filesize
24KB

Download
memory/2964-2-0x0000000000230000-0x0000000000236000-memory.dmp

Filesize
24KB

Download
memory/2964-1-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download