Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
22-05-2024 02:51
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-22_db99634f581c422483cb54cb9a574e0c_cryptolocker.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
2024-05-22_db99634f581c422483cb54cb9a574e0c_cryptolocker.exe
Resource
win10v2004-20240426-en
General
-
Target
2024-05-22_db99634f581c422483cb54cb9a574e0c_cryptolocker.exe
-
Size
45KB
-
MD5
db99634f581c422483cb54cb9a574e0c
-
SHA1
f877958b1a1d81306db2a68135f605043ee6175d
-
SHA256
b1d6cc703e9d3a36ea9b51b6566ffb98f77ee5a0dbd68614d9f10a13900e3d4d
-
SHA512
2a8c19034eb984d72de702fe3d5b4aceef5fae1f5d1c0bf6d1f789d527aab3d5b5ce41467d9654e16ad1db7cdcaa5c3cfe02523fa4e25b6b6037bb99fc3e897d
-
SSDEEP
768:Kf1K2exg2kBwtdgI2MyzNORQtOflIwoHNV2XBFV72BOlA7ZsBGGpebVIYLHA3Kx2:o1KhxqwtdgI2MyzNORQtOflIwoHNV2Xb
Malware Config
Signatures
-
Detection of CryptoLocker Variants 1 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\hurok.exe CryptoLocker_rule2 -
Detection of Cryptolocker Samples 1 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\hurok.exe CryptoLocker_set1 -
Executes dropped EXE 1 IoCs
Processes:
hurok.exepid process 2628 hurok.exe -
Loads dropped DLL 1 IoCs
Processes:
2024-05-22_db99634f581c422483cb54cb9a574e0c_cryptolocker.exepid process 2236 2024-05-22_db99634f581c422483cb54cb9a574e0c_cryptolocker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of UnmapMainImage 2 IoCs
Processes:
2024-05-22_db99634f581c422483cb54cb9a574e0c_cryptolocker.exehurok.exepid process 2236 2024-05-22_db99634f581c422483cb54cb9a574e0c_cryptolocker.exe 2628 hurok.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
2024-05-22_db99634f581c422483cb54cb9a574e0c_cryptolocker.exedescription pid process target process PID 2236 wrote to memory of 2628 2236 2024-05-22_db99634f581c422483cb54cb9a574e0c_cryptolocker.exe hurok.exe PID 2236 wrote to memory of 2628 2236 2024-05-22_db99634f581c422483cb54cb9a574e0c_cryptolocker.exe hurok.exe PID 2236 wrote to memory of 2628 2236 2024-05-22_db99634f581c422483cb54cb9a574e0c_cryptolocker.exe hurok.exe PID 2236 wrote to memory of 2628 2236 2024-05-22_db99634f581c422483cb54cb9a574e0c_cryptolocker.exe hurok.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-22_db99634f581c422483cb54cb9a574e0c_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-22_db99634f581c422483cb54cb9a574e0c_cryptolocker.exe"1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\hurok.exe"C:\Users\Admin\AppData\Local\Temp\hurok.exe"2⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\hurok.exeFilesize
45KB
MD51be9e58349fa03d51abf3bbb6d26fa7d
SHA15b617a397e1cc37385921867fe85826117a4e1ef
SHA2567db44e99acfdf865113d722dce5e9d16e67f6bc31d698adcc8ab567700cb87a4
SHA512723a651419aa43b9e25830c4e637b7c00933d6c47ccc818a9f35fd52eff096f5a3b9c9736e909c078e0339579ef3438591dac4a55a41b9fd6436e4845f589446
-
memory/2236-0-0x00000000003B0000-0x00000000003B6000-memory.dmpFilesize
24KB
-
memory/2236-1-0x00000000003B0000-0x00000000003B6000-memory.dmpFilesize
24KB
-
memory/2236-2-0x0000000000400000-0x0000000000406000-memory.dmpFilesize
24KB
-
memory/2628-23-0x0000000000230000-0x0000000000236000-memory.dmpFilesize
24KB