1b43dbf0f55cfea6b8298d199f9806ac683ce71005e9a429b5820e47b382757b

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
19/02/2024, 08:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-19_2136d8d0457b8fa4ab840054d2e9d76e_cryptolocker.exe
Size

61KB
MD5

2136d8d0457b8fa4ab840054d2e9d76e
SHA1

aefc8827b4e340abb2f88f831bfc3588cbe9006c
SHA256

1b43dbf0f55cfea6b8298d199f9806ac683ce71005e9a429b5820e47b382757b
SHA512

e73d670d2c5c2adf6d55680d1f7204d8ddb8676c2dc83db056567645dc257ad6da552902118eff1dfc126398d58b3500b6b11cd823b67422fce2c137ced5987f
SSDEEP

1536:o1KhxqwtdgI2MyzNORQtOflIwoHNV2XBFV72BOlA7ZszsbKY1x/9lfL+gniDSAay:aq7tdgI2MyzNORQtOflIwoHNV2XBFV71

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x000e0000000122e2-23.dat	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

resource	yara_rule
behavioral1/files/0x000e0000000122e2-23.dat	CryptoLocker_set1

Executes dropped EXE 1 IoCs

pid	Process
2696	hurok.exe

Loads dropped DLL 1 IoCs

pid	Process
1712	2024-02-19_2136d8d0457b8fa4ab840054d2e9d76e_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1712	2024-02-19_2136d8d0457b8fa4ab840054d2e9d76e_cryptolocker.exe
2696	hurok.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 2696	1712	2024-02-19_2136d8d0457b8fa4ab840054d2e9d76e_cryptolocker.exe	1
PID 1712 wrote to memory of 2696	1712	2024-02-19_2136d8d0457b8fa4ab840054d2e9d76e_cryptolocker.exe	1
PID 1712 wrote to memory of 2696	1712	2024-02-19_2136d8d0457b8fa4ab840054d2e9d76e_cryptolocker.exe	1
PID 1712 wrote to memory of 2696	1712	2024-02-19_2136d8d0457b8fa4ab840054d2e9d76e_cryptolocker.exe	1

C:\Users\Admin\AppData\Local\Temp\hurok.exe
"C:\Users\Admin\AppData\Local\Temp\hurok.exe"
1⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:2696

C:\Users\Admin\AppData\Local\Temp\2024-02-19_2136d8d0457b8fa4ab840054d2e9d76e_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-19_2136d8d0457b8fa4ab840054d2e9d76e_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hurok.exe

Filesize
61KB

MD5
b3fe774db4fbcc35f26ba73f373b23d9

SHA1
8e0f5ecf925c100523faba677080d8ca362be013

SHA256
0268209c756bb4365e136d299660ee4da1b44e3765a67af9a2ba32d8020a046e

SHA512
d94764dd22ed9ff4c67bab7d2f698d6837f5795a65d4e32520d36a008c91b2a672036c9ddd9c7206db5fc73fc797c26a575e1942b9bac5d411f5b49efb4610ca

Download Submit
memory/1712-3-0x00000000001C0000-0x00000000001C6000-memory.dmp

Filesize
24KB

Download
memory/1712-1-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1712-0-0x00000000001C0000-0x00000000001C6000-memory.dmp

Filesize
24KB

Download
memory/2696-21-0x0000000000230000-0x0000000000236000-memory.dmp

Filesize
24KB

Download