Analysis
-
max time kernel
128s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09/06/2024, 07:34
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-09_d027de35ae2e38744ed08255a41bec8d_cryptolocker.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-06-09_d027de35ae2e38744ed08255a41bec8d_cryptolocker.exe
Resource
win10v2004-20240508-en
General
-
Target
2024-06-09_d027de35ae2e38744ed08255a41bec8d_cryptolocker.exe
-
Size
44KB
-
MD5
d027de35ae2e38744ed08255a41bec8d
-
SHA1
d30165479e20453eab74e9099a4f8172edf1e6a6
-
SHA256
a1ad74dc64848ba32406c68e34533894feefe7c1eb1e41574b25bea3507d927c
-
SHA512
35f14a3985d4e5f934dcbb6247892bac1563a972a13d24a5244f5eda715a68a5315c59010ea96a7d9b77185c372c13b278c48caaa1c9a10e7976c8ac7da87088
-
SSDEEP
768:nf1K2exg2kBwtdgI2MyzNORQtOflIwoHNV2XBFV72BOlA7ZsBGGWXOQ69zbjlAAe:f1KhxqwtdgI2MyzNORQtOflIwoHNV2Xo
Malware Config
Signatures
-
Detection of CryptoLocker Variants 1 IoCs
resource yara_rule behavioral1/files/0x000c00000001565d-10.dat CryptoLocker_rule2 -
Detection of Cryptolocker Samples 1 IoCs
resource yara_rule behavioral1/files/0x000c00000001565d-10.dat CryptoLocker_set1 -
Executes dropped EXE 1 IoCs
pid Process 2592 hurok.exe -
Loads dropped DLL 1 IoCs
pid Process 2696 2024-06-09_d027de35ae2e38744ed08255a41bec8d_cryptolocker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2696 2024-06-09_d027de35ae2e38744ed08255a41bec8d_cryptolocker.exe 2592 hurok.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2696 wrote to memory of 2592 2696 2024-06-09_d027de35ae2e38744ed08255a41bec8d_cryptolocker.exe 28 PID 2696 wrote to memory of 2592 2696 2024-06-09_d027de35ae2e38744ed08255a41bec8d_cryptolocker.exe 28 PID 2696 wrote to memory of 2592 2696 2024-06-09_d027de35ae2e38744ed08255a41bec8d_cryptolocker.exe 28 PID 2696 wrote to memory of 2592 2696 2024-06-09_d027de35ae2e38744ed08255a41bec8d_cryptolocker.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-09_d027de35ae2e38744ed08255a41bec8d_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-09_d027de35ae2e38744ed08255a41bec8d_cryptolocker.exe"1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Users\Admin\AppData\Local\Temp\hurok.exe"C:\Users\Admin\AppData\Local\Temp\hurok.exe"2⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:2592
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
44KB
MD5942f7117dc84ed6178563205a55ba8bb
SHA135eae2efa463683e444b83ed23ffc35aacc95e16
SHA2565d017d31ad7dfe4378c54b903b04412c481f01ca129e57918145967d2b542f61
SHA51261758961af268524f6484546a9a849104b3a9fa950ad9343ce84f01b4c55f05fef78fea92ca3ddd77a2a5c3cefd4b773607ac224979a39fef29f2ef942d187c9