d83c430a285d20e474ee488a56e4b6891a36a81093fe5f73ff70cf3211698f6b

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
03/06/2024, 04:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-03_d80fa6572b78ea29208407c7c23d7108_cryptolocker.exe
Size

55KB
MD5

d80fa6572b78ea29208407c7c23d7108
SHA1

704446ef90d32dbc95103c6ff456a8eefd8f439b
SHA256

d83c430a285d20e474ee488a56e4b6891a36a81093fe5f73ff70cf3211698f6b
SHA512

93cf5e50318cf8d41e2e3f54b8b72d4faeac8bd726411a0ad3aec73cc94d83421410ebb00ba361c4e8b138a40bb94fd76ec9c9e63fbd785a5f021e7b8f717c69
SSDEEP

1536:o1KhxqwtdgI2MyzNORQtOflIwoHNV2XBFV72BOlA7ZszsbKY1xzpAIX6Ev:aq7tdgI2MyzNORQtOflIwoHNV2XBFV7S

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x00090000000141a2-10.dat	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

resource	yara_rule
behavioral1/files/0x00090000000141a2-10.dat	CryptoLocker_set1

Executes dropped EXE 1 IoCs

pid	Process
1528	hurok.exe

Loads dropped DLL 1 IoCs

pid	Process
2820	2024-06-03_d80fa6572b78ea29208407c7c23d7108_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2820	2024-06-03_d80fa6572b78ea29208407c7c23d7108_cryptolocker.exe
1528	hurok.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2820 wrote to memory of 1528	2820	2024-06-03_d80fa6572b78ea29208407c7c23d7108_cryptolocker.exe	28
PID 2820 wrote to memory of 1528	2820	2024-06-03_d80fa6572b78ea29208407c7c23d7108_cryptolocker.exe	28
PID 2820 wrote to memory of 1528	2820	2024-06-03_d80fa6572b78ea29208407c7c23d7108_cryptolocker.exe	28
PID 2820 wrote to memory of 1528	2820	2024-06-03_d80fa6572b78ea29208407c7c23d7108_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-06-03_d80fa6572b78ea29208407c7c23d7108_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-03_d80fa6572b78ea29208407c7c23d7108_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2820
- C:\Users\Admin\AppData\Local\Temp\hurok.exe
  "C:\Users\Admin\AppData\Local\Temp\hurok.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:1528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\hurok.exe

Filesize
55KB

MD5
4c84b02f143c72da2ca8ce20513c8400

SHA1
6d892cd3381591d9d80b4087886ad595f5a46aab

SHA256
afc7e8d59ff25374421be7630faf0cae0a39979766d8187762e5858fde995890

SHA512
dad139e3c4f7d5ac97698d7234e08913da94d0926edf92f10dff6f45509c9c92d7c7dde69273ef94ff6695f0b297a1f1ef1e016d8e3921f47449a77c090edc53

Download Submit
memory/1528-23-0x0000000000230000-0x0000000000236000-memory.dmp

Filesize
24KB

Download
memory/2820-1-0x00000000001C0000-0x00000000001C6000-memory.dmp

Filesize
24KB

Download
memory/2820-0-0x00000000001C0000-0x00000000001C6000-memory.dmp

Filesize
24KB

Download
memory/2820-2-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download