6e61e069e1eb5c5d9a12aefb3e7f791840e3943746d9b8e4c79703d42cf104bb

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
22/01/2024, 17:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-22_05d595f9300c1432600be3db3b1aea51_cryptolocker.exe
Size

41KB
MD5

05d595f9300c1432600be3db3b1aea51
SHA1

8a1d81d8b0e54fa7e24e20392acdf3e7aea1e032
SHA256

6e61e069e1eb5c5d9a12aefb3e7f791840e3943746d9b8e4c79703d42cf104bb
SHA512

b5e656779b130bc72aab1bc5f95eb2ac2734c510a124c8a28066f7910f087a5a4dae425952c0989197d3d8af8eb7aae6fb9402a067f4918ec701eae446f52161
SSDEEP

768:Kf1K2exg2kBwtdgI2MyzNORQtOflIwoHNV2XBFV72BOlA7ZsBGGpebVIYLHA3Kx1:o1KhxqwtdgI2MyzNORQtOflIwoHNV2Xs

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x0008000000012256-10.dat	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

resource	yara_rule
behavioral1/files/0x0008000000012256-10.dat	CryptoLocker_set1

Executes dropped EXE 1 IoCs

pid	Process
2708	hurok.exe

Loads dropped DLL 1 IoCs

pid	Process
2428	2024-01-22_05d595f9300c1432600be3db3b1aea51_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2428	2024-01-22_05d595f9300c1432600be3db3b1aea51_cryptolocker.exe
2708	hurok.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2428 wrote to memory of 2708	2428	2024-01-22_05d595f9300c1432600be3db3b1aea51_cryptolocker.exe	28
PID 2428 wrote to memory of 2708	2428	2024-01-22_05d595f9300c1432600be3db3b1aea51_cryptolocker.exe	28
PID 2428 wrote to memory of 2708	2428	2024-01-22_05d595f9300c1432600be3db3b1aea51_cryptolocker.exe	28
PID 2428 wrote to memory of 2708	2428	2024-01-22_05d595f9300c1432600be3db3b1aea51_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-01-22_05d595f9300c1432600be3db3b1aea51_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-22_05d595f9300c1432600be3db3b1aea51_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2428
- C:\Users\Admin\AppData\Local\Temp\hurok.exe
  "C:\Users\Admin\AppData\Local\Temp\hurok.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\hurok.exe

Filesize
41KB

MD5
d47230a8f588ddcd120c3b88bb268011

SHA1
ffec0d7654760de304126c01a4a50d17d13a108b

SHA256
3fbc044f8fe71938343ccd7f8ac5c262447fa8f86f511960335b3761ec78a9de

SHA512
06e245807473060ce16e76da29668547dcb1e6d7089b998a77c4f54c92d52d83ac6f49b1d1cca593d1cffff9a3cbf8045c335b73b98a63b79cadc12c6f50cb75

Download Submit
memory/2428-0-0x00000000001C0000-0x00000000001C6000-memory.dmp

Filesize
24KB

Download
memory/2428-1-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2428-5-0x00000000001C0000-0x00000000001C6000-memory.dmp

Filesize
24KB

Download
memory/2708-18-0x00000000002B0000-0x00000000002B6000-memory.dmp

Filesize
24KB

Download