431ee188b631a051fa93a900652fafc3cb088c5052a1ada2e76f0d5a3bf9f03f

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
11/06/2024, 03:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-11_cad294d69fa8e38f3dd1f551aedd3ed3_cryptolocker.exe
Size

67KB
MD5

cad294d69fa8e38f3dd1f551aedd3ed3
SHA1

bbb1c69c0fe0e9fbe5f35fe311c05817cdaf11bc
SHA256

431ee188b631a051fa93a900652fafc3cb088c5052a1ada2e76f0d5a3bf9f03f
SHA512

5c7e1403fd26c19b29bf18098adcf7fe6124c01d052eeb52010ad26ccc784dd101974e53bc19940d26dbde6673bbb222c4f3c5dc591154d7c5a11b2c597f08aa
SSDEEP

1536:o1KhxqwtdgI2MyzNORQtOflIwoHNV2XBFV72BOlA7ZszudnYTjipvF293vaRLEV:aq7tdgI2MyzNORQtOflIwoHNV2XBFV79

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x000b000000015605-10.dat	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

resource	yara_rule
behavioral1/files/0x000b000000015605-10.dat	CryptoLocker_set1

Executes dropped EXE 1 IoCs

pid	Process
868	hurok.exe

Loads dropped DLL 1 IoCs

pid	Process
2240	2024-06-11_cad294d69fa8e38f3dd1f551aedd3ed3_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2240	2024-06-11_cad294d69fa8e38f3dd1f551aedd3ed3_cryptolocker.exe
868	hurok.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 868	2240	2024-06-11_cad294d69fa8e38f3dd1f551aedd3ed3_cryptolocker.exe	28
PID 2240 wrote to memory of 868	2240	2024-06-11_cad294d69fa8e38f3dd1f551aedd3ed3_cryptolocker.exe	28
PID 2240 wrote to memory of 868	2240	2024-06-11_cad294d69fa8e38f3dd1f551aedd3ed3_cryptolocker.exe	28
PID 2240 wrote to memory of 868	2240	2024-06-11_cad294d69fa8e38f3dd1f551aedd3ed3_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-06-11_cad294d69fa8e38f3dd1f551aedd3ed3_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_cad294d69fa8e38f3dd1f551aedd3ed3_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Users\Admin\AppData\Local\Temp\hurok.exe
  "C:\Users\Admin\AppData\Local\Temp\hurok.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\hurok.exe

Filesize
68KB

MD5
b6060225071e7572455783685ae2e620

SHA1
bac0b9c411bbe83aeb9e5506eafc4cddc9489f54

SHA256
1a75b05ef9ca9ddf9390299caafab11f784628ca1ef297d3158bbd9a3f7e855d

SHA512
afbfa7958727b9f9c1974dec90eb940dc1b3e78e3ad77981b1b54b410b9ece78ffab2c9bb927bf9fa66b6b475f1ae3466c9f30901dead27be038b279d6874312

Download Submit
memory/868-23-0x0000000000230000-0x0000000000236000-memory.dmp

Filesize
24KB

Download
memory/2240-1-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2240-0-0x00000000001C0000-0x00000000001C6000-memory.dmp

Filesize
24KB

Download
memory/2240-8-0x00000000001C0000-0x00000000001C6000-memory.dmp

Filesize
24KB

Download