60b1b4ef59b13f9dcd5dc51839d38ca6c9413242bd709058e15aa33ff0dad1a2

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
28-01-2024 13:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-28_25a19e4daba08a40dbff07ea101fde94_cryptolocker.exe
Size

47KB
MD5

25a19e4daba08a40dbff07ea101fde94
SHA1

032f40f1cabee1826fc5fb7dec5e26652879ab0d
SHA256

60b1b4ef59b13f9dcd5dc51839d38ca6c9413242bd709058e15aa33ff0dad1a2
SHA512

433c256e8470328afa4f329c5cbbae55f6574c277acece68e64fa10c970793775d6b37430feb7118cd7390dd9a42aa3bfbd9c4080bba43b4bfebcacbb3fa3866
SSDEEP

768:Kf1K2exg2kBwtdgI2MyzNORQtOflIwoHNV2XBFV72BOlA7ZsBGGpebVIYLHA3KxY:o1KhxqwtdgI2MyzNORQtOflIwoHNV2XJ

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x00080000000120dc-10.dat	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

resource	yara_rule
behavioral1/files/0x00080000000120dc-10.dat	CryptoLocker_set1

Executes dropped EXE 1 IoCs

pid	Process
2684	hurok.exe

Loads dropped DLL 1 IoCs

pid	Process
2464	2024-01-28_25a19e4daba08a40dbff07ea101fde94_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2464	2024-01-28_25a19e4daba08a40dbff07ea101fde94_cryptolocker.exe
2684	hurok.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2464 wrote to memory of 2684	2464	2024-01-28_25a19e4daba08a40dbff07ea101fde94_cryptolocker.exe	28
PID 2464 wrote to memory of 2684	2464	2024-01-28_25a19e4daba08a40dbff07ea101fde94_cryptolocker.exe	28
PID 2464 wrote to memory of 2684	2464	2024-01-28_25a19e4daba08a40dbff07ea101fde94_cryptolocker.exe	28
PID 2464 wrote to memory of 2684	2464	2024-01-28_25a19e4daba08a40dbff07ea101fde94_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-01-28_25a19e4daba08a40dbff07ea101fde94_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-28_25a19e4daba08a40dbff07ea101fde94_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2464
- C:\Users\Admin\AppData\Local\Temp\hurok.exe
  "C:\Users\Admin\AppData\Local\Temp\hurok.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\hurok.exe

Filesize
47KB

MD5
51589a34b7fe0b44076eee209eb943e2

SHA1
22c189144d83cec5f3ac91544aac8dfe37903990

SHA256
79614dfed733dac7aa2b0e9d1ecf8e70364187149944eba39ad2bca55ea747dd

SHA512
08dc9e76fe28aba8793db302c241821b700fe4344139ae1a6889c3613be40f113b5723002815ea8126d918e7817e1965302d93cc462881962f644291dae7d026

Download Submit
memory/2464-0-0x0000000000230000-0x0000000000236000-memory.dmp

Filesize
24KB

Download
memory/2464-2-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2464-1-0x0000000000230000-0x0000000000236000-memory.dmp

Filesize
24KB

Download
memory/2684-23-0x00000000002B0000-0x00000000002B6000-memory.dmp

Filesize
24KB

Download