cryptolocker | 2b9c435e6c5e7a4fc2ef5a7dce9f9bc928cef5325eda8799810beb91b2287662

General

Target

2b9c435e6c5e7a4fc2ef5a7dce9f9bc928cef5325eda8799810beb91b2287662.exe
Size

544KB
MD5

6136e79fbbe4cfbadcace9fa3d015170
SHA1

3ff9da637427740e373f032c99cf6e29ad27e37a
SHA256

2b9c435e6c5e7a4fc2ef5a7dce9f9bc928cef5325eda8799810beb91b2287662
SHA512

57fc2e764acb17b5b145f51e5b1fc22a79a028750c155ab8de8ffddfd65e97e7cf61f5984fffe182c9cfef6f0e97b6e25e570910e76609c8741735a0f17a6ddd
SSDEEP

12288:GAp4xkuItDWc2jR8bn1gdUMDhRGm7sHpeSVyPK8rnSnznL84W7DprS:GA7ZKHRen1g/R17sHpXyPKsSnznLXoU

Score

10^/10

cryptolocker persistence ransomware

Malware Config

Signatures

CryptoLocker
Ransomware family with multiple variants.
ransomware cryptolocker

Executes dropped EXE 2 IoCs

pid	Process
1644	Avywuixyxmexxtr.exe
2024	Avywuixyxmexxtr.exe

Deletes itself 1 IoCs

pid	Process
1644	Avywuixyxmexxtr.exe

Loads dropped DLL 2 IoCs

pid	Process
1820	2b9c435e6c5e7a4fc2ef5a7dce9f9bc928cef5325eda8799810beb91b2287662.exe
1820	2b9c435e6c5e7a4fc2ef5a7dce9f9bc928cef5325eda8799810beb91b2287662.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	Avywuixyxmexxtr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*CryptoLocker = "C:\\Users\\Admin\\AppData\\Local\\Avywuixyxmexxtr.exe"	Avywuixyxmexxtr.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	Avywuixyxmexxtr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\CryptoLocker = "C:\\Users\\Admin\\AppData\\Local\\Avywuixyxmexxtr.exe"	Avywuixyxmexxtr.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1820 wrote to memory of 1644	1820	2b9c435e6c5e7a4fc2ef5a7dce9f9bc928cef5325eda8799810beb91b2287662.exe	28
PID 1820 wrote to memory of 1644	1820	2b9c435e6c5e7a4fc2ef5a7dce9f9bc928cef5325eda8799810beb91b2287662.exe	28
PID 1820 wrote to memory of 1644	1820	2b9c435e6c5e7a4fc2ef5a7dce9f9bc928cef5325eda8799810beb91b2287662.exe	28
PID 1820 wrote to memory of 1644	1820	2b9c435e6c5e7a4fc2ef5a7dce9f9bc928cef5325eda8799810beb91b2287662.exe	28
PID 1644 wrote to memory of 2024	1644	Avywuixyxmexxtr.exe	29
PID 1644 wrote to memory of 2024	1644	Avywuixyxmexxtr.exe	29
PID 1644 wrote to memory of 2024	1644	Avywuixyxmexxtr.exe	29
PID 1644 wrote to memory of 2024	1644	Avywuixyxmexxtr.exe	29

C:\Users\Admin\AppData\Local\Temp\2b9c435e6c5e7a4fc2ef5a7dce9f9bc928cef5325eda8799810beb91b2287662.exe
"C:\Users\Admin\AppData\Local\Temp\2b9c435e6c5e7a4fc2ef5a7dce9f9bc928cef5325eda8799810beb91b2287662.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1820
- C:\Users\Admin\AppData\Local\Avywuixyxmexxtr.exe
  "C:\Users\Admin\AppData\Local\Avywuixyxmexxtr.exe" "-rC:\Users\Admin\AppData\Local\Temp\2b9c435e6c5e7a4fc2ef5a7dce9f9bc928cef5325eda8799810beb91b2287662.exe"
  2⤵
  - Executes dropped EXE
  - Deletes itself
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1644
- - C:\Users\Admin\AppData\Local\Avywuixyxmexxtr.exe
    "C:\Users\Admin\AppData\Local\Avywuixyxmexxtr.exe" -w11c
    3⤵
    - Executes dropped EXE
    PID:2024

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Avywuixyxmexxtr.exe

Filesize
544KB

MD5
6136e79fbbe4cfbadcace9fa3d015170

SHA1
3ff9da637427740e373f032c99cf6e29ad27e37a

SHA256
2b9c435e6c5e7a4fc2ef5a7dce9f9bc928cef5325eda8799810beb91b2287662

SHA512
57fc2e764acb17b5b145f51e5b1fc22a79a028750c155ab8de8ffddfd65e97e7cf61f5984fffe182c9cfef6f0e97b6e25e570910e76609c8741735a0f17a6ddd

Download Submit
C:\Users\Admin\AppData\Local\Avywuixyxmexxtr.exe

Filesize
544KB

MD5
6136e79fbbe4cfbadcace9fa3d015170

SHA1
3ff9da637427740e373f032c99cf6e29ad27e37a

SHA256
2b9c435e6c5e7a4fc2ef5a7dce9f9bc928cef5325eda8799810beb91b2287662

SHA512
57fc2e764acb17b5b145f51e5b1fc22a79a028750c155ab8de8ffddfd65e97e7cf61f5984fffe182c9cfef6f0e97b6e25e570910e76609c8741735a0f17a6ddd

Download Submit
C:\Users\Admin\AppData\Local\Avywuixyxmexxtr.exe

Filesize
544KB

MD5
6136e79fbbe4cfbadcace9fa3d015170

SHA1
3ff9da637427740e373f032c99cf6e29ad27e37a

SHA256
2b9c435e6c5e7a4fc2ef5a7dce9f9bc928cef5325eda8799810beb91b2287662

SHA512
57fc2e764acb17b5b145f51e5b1fc22a79a028750c155ab8de8ffddfd65e97e7cf61f5984fffe182c9cfef6f0e97b6e25e570910e76609c8741735a0f17a6ddd

Download Submit
\Users\Admin\AppData\Local\Avywuixyxmexxtr.exe

Filesize
544KB

MD5
6136e79fbbe4cfbadcace9fa3d015170

SHA1
3ff9da637427740e373f032c99cf6e29ad27e37a

SHA256
2b9c435e6c5e7a4fc2ef5a7dce9f9bc928cef5325eda8799810beb91b2287662

SHA512
57fc2e764acb17b5b145f51e5b1fc22a79a028750c155ab8de8ffddfd65e97e7cf61f5984fffe182c9cfef6f0e97b6e25e570910e76609c8741735a0f17a6ddd

Download Submit
\Users\Admin\AppData\Local\Avywuixyxmexxtr.exe

Filesize
544KB

MD5
6136e79fbbe4cfbadcace9fa3d015170

SHA1
3ff9da637427740e373f032c99cf6e29ad27e37a

SHA256
2b9c435e6c5e7a4fc2ef5a7dce9f9bc928cef5325eda8799810beb91b2287662

SHA512
57fc2e764acb17b5b145f51e5b1fc22a79a028750c155ab8de8ffddfd65e97e7cf61f5984fffe182c9cfef6f0e97b6e25e570910e76609c8741735a0f17a6ddd

Download Submit
memory/1644-66-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1644-80-0x0000000000020000-0x0000000000025000-memory.dmp

Filesize
20KB

Download
memory/1644-67-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/1820-56-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1820-54-0x0000000000020000-0x0000000000025000-memory.dmp

Filesize
20KB

Download
memory/1820-55-0x00000000758C1000-0x00000000758C3000-memory.dmp

Filesize
8KB

Download
memory/1820-57-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/2024-76-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/2024-79-0x0000000000020000-0x0000000000025000-memory.dmp

Filesize
20KB

Download
memory/2024-81-0x0000000000020000-0x0000000000025000-memory.dmp

Filesize
20KB

Download

Analysis

Sharing