8f23c7ea0813b5cbc064d5dad2a372639fc92867950bd14d1b664462c886e41b

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
30-04-2024 20:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-30_be2b1853ab8dbafe435ee69bd931aa2d_cryptolocker.exe
Size

51KB
MD5

be2b1853ab8dbafe435ee69bd931aa2d
SHA1

59164d95b334a70846afd684d1f7c0f4a7159e7e
SHA256

8f23c7ea0813b5cbc064d5dad2a372639fc92867950bd14d1b664462c886e41b
SHA512

9889d7f774ac7f0fb1c40fb813e62d99f3beef480b24fc26c21a885aa650a906901d738aab900a3daf98859b4265ab9757de1b8ee6210f198803999d3227f8c2
SSDEEP

1536:o1KhxqwtdgI2MyzNORQtOflIwoHNV2XBFV72BOlA7ZszsbKY1xzpAIUr:aq7tdgI2MyzNORQtOflIwoHNV2XBFV7L

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x000a000000015cbd-10.dat	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

resource	yara_rule
behavioral1/files/0x000a000000015cbd-10.dat	CryptoLocker_set1

Executes dropped EXE 1 IoCs

pid	Process
1164	hurok.exe

Loads dropped DLL 1 IoCs

pid	Process
1512	2024-04-30_be2b1853ab8dbafe435ee69bd931aa2d_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1512	2024-04-30_be2b1853ab8dbafe435ee69bd931aa2d_cryptolocker.exe
1164	hurok.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1512 wrote to memory of 1164	1512	2024-04-30_be2b1853ab8dbafe435ee69bd931aa2d_cryptolocker.exe	28
PID 1512 wrote to memory of 1164	1512	2024-04-30_be2b1853ab8dbafe435ee69bd931aa2d_cryptolocker.exe	28
PID 1512 wrote to memory of 1164	1512	2024-04-30_be2b1853ab8dbafe435ee69bd931aa2d_cryptolocker.exe	28
PID 1512 wrote to memory of 1164	1512	2024-04-30_be2b1853ab8dbafe435ee69bd931aa2d_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-04-30_be2b1853ab8dbafe435ee69bd931aa2d_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-30_be2b1853ab8dbafe435ee69bd931aa2d_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1512
- C:\Users\Admin\AppData\Local\Temp\hurok.exe
  "C:\Users\Admin\AppData\Local\Temp\hurok.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:1164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\hurok.exe

Filesize
51KB

MD5
8778a7ea7a885156afa41bf71d8b7a24

SHA1
b4d10729d5d652d27479c5449d2bc4c963986e42

SHA256
e6d8f3d1812312aba7698b737210094f08231e2e19517b429c26e978ea3c3609

SHA512
12ebc51f8d8f0189e7c02a714440becef5b8d202634a49db5a9dec8306928d327bc92b08d9528ee86e03a404d445954821c200accc2e90494ffb5c1bdb1d6a4a

Download Submit
memory/1164-23-0x0000000000310000-0x0000000000316000-memory.dmp

Filesize
24KB

Download
memory/1512-0-0x00000000002B0000-0x00000000002B6000-memory.dmp

Filesize
24KB

Download
memory/1512-1-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1512-8-0x00000000002B0000-0x00000000002B6000-memory.dmp

Filesize
24KB

Download