ad990893540787bfc4e0e5ad7c1408fd299f583cbcf74255b34cc5f2253d2287

Analysis

max time kernel
153s
max time network
155s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
07/03/2024, 05:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-07_301dc760bb69082b3587277361d4edaf_cryptolocker.exe
Size

43KB
MD5

301dc760bb69082b3587277361d4edaf
SHA1

7156d3886e2069bc5c7fca96ac2e5e2e64719edf
SHA256

ad990893540787bfc4e0e5ad7c1408fd299f583cbcf74255b34cc5f2253d2287
SHA512

3ea68b0cf525a90fe23f282c83a0e86f48093db1f6e0b06486d0936fdcc306eed91e65e0a7f0b4f54ff204a1a5075d036cbdb512612541a33a721ffde29755dc
SSDEEP

768:Kf1K2exg2kBwtdgI2MyzNORQtOflIwoHNV2XBFV72BOlA7ZsBGGpebVIYLHA3Kxy:o1KhxqwtdgI2MyzNORQtOflIwoHNV2X/

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x000b00000001222b-10.dat	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

resource	yara_rule
behavioral1/files/0x000b00000001222b-10.dat	CryptoLocker_set1

Executes dropped EXE 1 IoCs

pid	Process
1964	hurok.exe

Loads dropped DLL 1 IoCs

pid	Process
1736	2024-03-07_301dc760bb69082b3587277361d4edaf_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1736	2024-03-07_301dc760bb69082b3587277361d4edaf_cryptolocker.exe
1964	hurok.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 1964	1736	2024-03-07_301dc760bb69082b3587277361d4edaf_cryptolocker.exe	28
PID 1736 wrote to memory of 1964	1736	2024-03-07_301dc760bb69082b3587277361d4edaf_cryptolocker.exe	28
PID 1736 wrote to memory of 1964	1736	2024-03-07_301dc760bb69082b3587277361d4edaf_cryptolocker.exe	28
PID 1736 wrote to memory of 1964	1736	2024-03-07_301dc760bb69082b3587277361d4edaf_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-03-07_301dc760bb69082b3587277361d4edaf_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-07_301dc760bb69082b3587277361d4edaf_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Users\Admin\AppData\Local\Temp\hurok.exe
  "C:\Users\Admin\AppData\Local\Temp\hurok.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:1964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\hurok.exe

Filesize
43KB

MD5
401e30e7363d7534035d0b8c4b7982ed

SHA1
514ec7dca0e580b4a499ad385bd442dfa6689ff4

SHA256
525be764dfaa4460e7f0a7359af2d62db296775567293851bcba1c688e127797

SHA512
9235923fb55373f0bb23814ae6e4d4d2184920c975a1817e28a8e18a0b915c089a423d1eb205f5f6ff51d9ade063b6d656c762371e90ef743f31b891c37d73a6

Download Submit
memory/1736-0-0x0000000000230000-0x0000000000236000-memory.dmp

Filesize
24KB

Download
memory/1736-1-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1736-8-0x0000000000230000-0x0000000000236000-memory.dmp

Filesize
24KB

Download
memory/1964-19-0x00000000002B0000-0x00000000002B6000-memory.dmp

Filesize
24KB

Download