2dbca7c12590251ffac8b9ee9d3b2f247b71a6aa6bb3c48aa2f4ff0f7824e627

Analysis

max time kernel
150s
max time network
155s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
29/05/2024, 20:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-29_de2a4399d0bafbd71779d03c292585ea_cryptolocker.exe
Size

38KB
MD5

de2a4399d0bafbd71779d03c292585ea
SHA1

914a3424ab2ca72670ec0a2931299f7c109f49e8
SHA256

2dbca7c12590251ffac8b9ee9d3b2f247b71a6aa6bb3c48aa2f4ff0f7824e627
SHA512

6a15cd39ffd9976290aafbfcb5a82ff2d9516eb8ad019dec42ea23adfab60e9a6171a61b619776475023b86845cdff6657ca34c34292bfe59f5c11e782659370
SSDEEP

768:Kf1K2exg2kBwtdgI2MyzNORQtOflIwoHNV2XBFV72BOlA7ZsBGGp/YIm7wm0WZy5:o1KhxqwtdgI2MyzNORQtOflIwoHNV2Xn

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x00090000000143d1-22.dat	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

resource	yara_rule
behavioral1/files/0x00090000000143d1-22.dat	CryptoLocker_set1

Executes dropped EXE 1 IoCs

pid	Process
3012	hurok.exe

Loads dropped DLL 1 IoCs

pid	Process
1716	2024-05-29_de2a4399d0bafbd71779d03c292585ea_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1716	2024-05-29_de2a4399d0bafbd71779d03c292585ea_cryptolocker.exe
3012	hurok.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1716 wrote to memory of 3012	1716	2024-05-29_de2a4399d0bafbd71779d03c292585ea_cryptolocker.exe	28
PID 1716 wrote to memory of 3012	1716	2024-05-29_de2a4399d0bafbd71779d03c292585ea_cryptolocker.exe	28
PID 1716 wrote to memory of 3012	1716	2024-05-29_de2a4399d0bafbd71779d03c292585ea_cryptolocker.exe	28
PID 1716 wrote to memory of 3012	1716	2024-05-29_de2a4399d0bafbd71779d03c292585ea_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-05-29_de2a4399d0bafbd71779d03c292585ea_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-29_de2a4399d0bafbd71779d03c292585ea_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1716
- C:\Users\Admin\AppData\Local\Temp\hurok.exe
  "C:\Users\Admin\AppData\Local\Temp\hurok.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:3012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hurok.exe

Filesize
38KB

MD5
f7ead0461f38a55105c741ab05f54e98

SHA1
5c4689cd2ee2296c7bed487b2f8294bb4d76246d

SHA256
b1571e1bd8aa91ce0bfb2db2250f6e064de933546894232a05f4fd7dc7503103

SHA512
8481a2a25e00f4d42620d64b1f9a8840299e7f0792d76319cb57b2c5e103534b37097a206a5bb107841728f3998f2adec9385db492dbcf523469f8771d514c8d

Download Submit
memory/1716-8-0x0000000000230000-0x0000000000236000-memory.dmp

Filesize
24KB

Download
memory/1716-1-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1716-0-0x0000000000230000-0x0000000000236000-memory.dmp

Filesize
24KB

Download
memory/3012-23-0x0000000000310000-0x0000000000316000-memory.dmp

Filesize
24KB

Download