464c5b0b6dda8159411662317a7f7ab2a8e7471812179e83cee7d78b8c31bcea

Analysis

max time kernel
157s
max time network
160s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
03/02/2024, 18:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-03_db37128ab3c6250514d8d5fffdcacfd9_cryptolocker.exe
Size

48KB
MD5

db37128ab3c6250514d8d5fffdcacfd9
SHA1

d2fcdbc81003c6550a4bb8435d5fccbdd031aab7
SHA256

464c5b0b6dda8159411662317a7f7ab2a8e7471812179e83cee7d78b8c31bcea
SHA512

fc1acfbfc376c28ddcbe5ebfae3f23a3d9f9e99ae4b3aa993a3f4e49e8e3e869c8ad1cfbeeb49e4c4e3e51cd4ae887f5d8e77b88d0403f3a621a4b746e33d8c6
SSDEEP

1536:o1KhxqwtdgI2MyzNORQtOflIwoHNV2XBFV72BOlA7ZszsbKY1xzpAI3o:aq7tdgI2MyzNORQtOflIwoHNV2XBFV7r

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x000b00000001225f-10.dat	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

resource	yara_rule
behavioral1/files/0x000b00000001225f-10.dat	CryptoLocker_set1

Executes dropped EXE 1 IoCs

pid	Process
2308	hurok.exe

Loads dropped DLL 1 IoCs

pid	Process
1712	2024-02-03_db37128ab3c6250514d8d5fffdcacfd9_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1712	2024-02-03_db37128ab3c6250514d8d5fffdcacfd9_cryptolocker.exe
2308	hurok.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 2308	1712	2024-02-03_db37128ab3c6250514d8d5fffdcacfd9_cryptolocker.exe	27
PID 1712 wrote to memory of 2308	1712	2024-02-03_db37128ab3c6250514d8d5fffdcacfd9_cryptolocker.exe	27
PID 1712 wrote to memory of 2308	1712	2024-02-03_db37128ab3c6250514d8d5fffdcacfd9_cryptolocker.exe	27
PID 1712 wrote to memory of 2308	1712	2024-02-03_db37128ab3c6250514d8d5fffdcacfd9_cryptolocker.exe	27

C:\Users\Admin\AppData\Local\Temp\2024-02-03_db37128ab3c6250514d8d5fffdcacfd9_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-03_db37128ab3c6250514d8d5fffdcacfd9_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Users\Admin\AppData\Local\Temp\hurok.exe
  "C:\Users\Admin\AppData\Local\Temp\hurok.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\hurok.exe

Filesize
48KB

MD5
76cb0aefb8700e8b2ac424c10c4ac403

SHA1
b35caa11e24ec89726edb02c4d31806210f529aa

SHA256
301acd7189a6fe9bec43a9ec9989530715f48fb7dbbb7e01a8827ea9d87dccf2

SHA512
617453cd973f99dc7b731921673c5ce2ec9db37defd01f27f8d78e0951e1e22f736cc8674fcb6db14e7ba1282340540da19062e2cde6c93acb980d8778e9f2af

Download Submit
memory/1712-0-0x00000000001C0000-0x00000000001C6000-memory.dmp

Filesize
24KB

Download
memory/1712-1-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1712-5-0x00000000001C0000-0x00000000001C6000-memory.dmp

Filesize
24KB

Download
memory/2308-18-0x00000000002B0000-0x00000000002B6000-memory.dmp

Filesize
24KB

Download