c02ee31d8682959924b7a95f49b290af4e1ec4aa559bc464936b8389bf735fae

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
24/02/2024, 00:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-24_0fc9742d6541b0c9074677d621a31264_cryptolocker.exe
Size

46KB
MD5

0fc9742d6541b0c9074677d621a31264
SHA1

08a8d8863a27a60c22976204e49f919f47100b56
SHA256

c02ee31d8682959924b7a95f49b290af4e1ec4aa559bc464936b8389bf735fae
SHA512

affd3ab1f22bfadcb88d6447269c67032b5c1bebdbaf09d6910f6c6bf11918ab64ae123c25871645f9f43fd7e5ba5140b4a26b441727560d7fc1920ec65cb4e3
SSDEEP

768:Kf1K2exg2kBwtdgI2MyzNORQtOflIwoHNV2XBFV72BOlA7ZsBGGpebVIYLHA3Kxy:o1KhxqwtdgI2MyzNORQtOflIwoHNV2X/

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x000c00000001225d-10.dat	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

resource	yara_rule
behavioral1/files/0x000c00000001225d-10.dat	CryptoLocker_set1

Executes dropped EXE 1 IoCs

pid	Process
3020	hurok.exe

Loads dropped DLL 1 IoCs

pid	Process
1984	2024-02-24_0fc9742d6541b0c9074677d621a31264_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1984	2024-02-24_0fc9742d6541b0c9074677d621a31264_cryptolocker.exe
3020	hurok.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 3020	1984	2024-02-24_0fc9742d6541b0c9074677d621a31264_cryptolocker.exe	29
PID 1984 wrote to memory of 3020	1984	2024-02-24_0fc9742d6541b0c9074677d621a31264_cryptolocker.exe	29
PID 1984 wrote to memory of 3020	1984	2024-02-24_0fc9742d6541b0c9074677d621a31264_cryptolocker.exe	29
PID 1984 wrote to memory of 3020	1984	2024-02-24_0fc9742d6541b0c9074677d621a31264_cryptolocker.exe	29

C:\Users\Admin\AppData\Local\Temp\2024-02-24_0fc9742d6541b0c9074677d621a31264_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-24_0fc9742d6541b0c9074677d621a31264_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Users\Admin\AppData\Local\Temp\hurok.exe
  "C:\Users\Admin\AppData\Local\Temp\hurok.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:3020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\hurok.exe

Filesize
46KB

MD5
fc19f4de93e67d5de326e2332f0a7c1b

SHA1
6886711d89c315162256b92fa4a6c0bb9366378c

SHA256
8690d254f2bc435ed45e5107b3de16a4be263794534b83c8adde685d4f0301ff

SHA512
665f3e8207ea4e5f5a29ad2a12ec3e307b02d57ba77c18b19d33d1f08a27214116a02138ecded05efbf5f7c42d5f1fb395502859dce16f0af077faf6b257d743

Download Submit
memory/1984-0-0x0000000000310000-0x0000000000316000-memory.dmp

Filesize
24KB

Download
memory/1984-1-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1984-7-0x0000000000310000-0x0000000000316000-memory.dmp

Filesize
24KB

Download
memory/3020-17-0x00000000003A0000-0x00000000003A6000-memory.dmp

Filesize
24KB

Download