cryptolocker | 2f3a3462e46a5373d2087cb030289c361270e4b5b8799e4d5ca422e83f4e988d

General

Target

2f3a3462e46a5373d2087cb030289c361270e4b5b8799e4d5ca422e83f4e988d.exe
Size

338KB
MD5

3a474a22a2ddd5ba05031a4f3ff309e1
SHA1

b9d3d30e54468d0cdaf3dddd044378cf101e179d
SHA256

2f3a3462e46a5373d2087cb030289c361270e4b5b8799e4d5ca422e83f4e988d
SHA512

b00f87a23a4ad38b1a52fb77b5a507c7a5e4ac36025559bc5f1589aad76f58ddc99b940e4cdd78c9085fe4128362c3740b9f524ff2288e0826e051e980061e77

Score

10^/10

cryptolocker persistence ransomware

Malware Config

Signatures

CryptoLocker
Ransomware family with multiple variants.
ransomware cryptolocker
Executes dropped EXE 2 IoCs

Processes:

{34184A33-0407-212E-3320-09040709E2C2}.exe{34184A33-0407-212E-3320-09040709E2C2}.exe

pid process

660 {34184A33-0407-212E-3320-09040709E2C2}.exe
3988 {34184A33-0407-212E-3320-09040709E2C2}.exe
Deletes itself 1 IoCs

Processes:

{34184A33-0407-212E-3320-09040709E2C2}.exe

pid process

660 {34184A33-0407-212E-3320-09040709E2C2}.exe

pid	process
660	{34184A33-0407-212E-3320-09040709E2C2}.exe
3988	{34184A33-0407-212E-3320-09040709E2C2}.exe

pid	process
660	{34184A33-0407-212E-3320-09040709E2C2}.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

{34184A33-0407-212E-3320-09040709E2C2}.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run	{34184A33-0407-212E-3320-09040709E2C2}.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\CryptoLocker = "C:\\Users\\Admin\\AppData\\Roaming\\{34184A33-0407-212E-3320-09040709E2C2}.exe"	{34184A33-0407-212E-3320-09040709E2C2}.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

2f3a3462e46a5373d2087cb030289c361270e4b5b8799e4d5ca422e83f4e988d.exe{34184A33-0407-212E-3320-09040709E2C2}.exe

description	pid	process	target process
PID 532 wrote to memory of 660	532	2f3a3462e46a5373d2087cb030289c361270e4b5b8799e4d5ca422e83f4e988d.exe	{34184A33-0407-212E-3320-09040709E2C2}.exe
PID 532 wrote to memory of 660	532	2f3a3462e46a5373d2087cb030289c361270e4b5b8799e4d5ca422e83f4e988d.exe	{34184A33-0407-212E-3320-09040709E2C2}.exe
PID 532 wrote to memory of 660	532	2f3a3462e46a5373d2087cb030289c361270e4b5b8799e4d5ca422e83f4e988d.exe	{34184A33-0407-212E-3320-09040709E2C2}.exe
PID 660 wrote to memory of 3988	660	{34184A33-0407-212E-3320-09040709E2C2}.exe	{34184A33-0407-212E-3320-09040709E2C2}.exe
PID 660 wrote to memory of 3988	660	{34184A33-0407-212E-3320-09040709E2C2}.exe	{34184A33-0407-212E-3320-09040709E2C2}.exe
PID 660 wrote to memory of 3988	660	{34184A33-0407-212E-3320-09040709E2C2}.exe	{34184A33-0407-212E-3320-09040709E2C2}.exe

C:\Users\Admin\AppData\Local\Temp\2f3a3462e46a5373d2087cb030289c361270e4b5b8799e4d5ca422e83f4e988d.exe
"C:\Users\Admin\AppData\Local\Temp\2f3a3462e46a5373d2087cb030289c361270e4b5b8799e4d5ca422e83f4e988d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:532
- C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
  "C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" "/rC:\Users\Admin\AppData\Local\Temp\2f3a3462e46a5373d2087cb030289c361270e4b5b8799e4d5ca422e83f4e988d.exe"
  2⤵
  - Executes dropped EXE
  - Deletes itself
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:660
- - C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
    "C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w00000220
    3⤵
    - Executes dropped EXE
    PID:3988

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe

MD5
3a474a22a2ddd5ba05031a4f3ff309e1

SHA1
b9d3d30e54468d0cdaf3dddd044378cf101e179d

SHA256
2f3a3462e46a5373d2087cb030289c361270e4b5b8799e4d5ca422e83f4e988d

SHA512
b00f87a23a4ad38b1a52fb77b5a507c7a5e4ac36025559bc5f1589aad76f58ddc99b940e4cdd78c9085fe4128362c3740b9f524ff2288e0826e051e980061e77

Download Submit
C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe

MD5
3a474a22a2ddd5ba05031a4f3ff309e1

SHA1
b9d3d30e54468d0cdaf3dddd044378cf101e179d

SHA256
2f3a3462e46a5373d2087cb030289c361270e4b5b8799e4d5ca422e83f4e988d

SHA512
b00f87a23a4ad38b1a52fb77b5a507c7a5e4ac36025559bc5f1589aad76f58ddc99b940e4cdd78c9085fe4128362c3740b9f524ff2288e0826e051e980061e77

Download Submit
C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe

MD5
3a474a22a2ddd5ba05031a4f3ff309e1

SHA1
b9d3d30e54468d0cdaf3dddd044378cf101e179d

SHA256
2f3a3462e46a5373d2087cb030289c361270e4b5b8799e4d5ca422e83f4e988d

SHA512
b00f87a23a4ad38b1a52fb77b5a507c7a5e4ac36025559bc5f1589aad76f58ddc99b940e4cdd78c9085fe4128362c3740b9f524ff2288e0826e051e980061e77

Download Submit
memory/660-114-0x0000000000000000-mapping.dmp

Download
memory/3988-117-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing