cryptolocker | 362e2a76a5a851dde0dd6f29a07846343170a7a36cf5305e1b4cd4973278b60e

General

Target

362e2a76a5a851dde0dd6f29a07846343170a7a36cf5305e1b4cd4973278b60e.exe
Size

736KB
MD5

a09aac1c1901f88e3bc87430d028718d
SHA1

5a63efde486b7f6d8c78b606bd02a07769a7b3b3
SHA256

362e2a76a5a851dde0dd6f29a07846343170a7a36cf5305e1b4cd4973278b60e
SHA512

b1f11873196dbb49a55ad41fd54bc342e93b0185bff30bd03c6bd10dbad930a0cda30c69c34df03fecba34e08a2854675f8adb49c6ab58f05e6a769a16de315b
SSDEEP

12288:cFOCGlc1srI4hLyfoWA5o8nvwla94iQNES0GkoKf9L:cmWic40QWA+8vwW4iQN10H

Score

10^/10

cryptolocker persistence ransomware

Malware Config

Signatures

CryptoLocker
Ransomware family with multiple variants.
ransomware cryptolocker

Executes dropped EXE 2 IoCs

pid	Process
1160	Avywuixyxmexxtr.exe
956	Avywuixyxmexxtr.exe

Deletes itself 1 IoCs

pid	Process
1160	Avywuixyxmexxtr.exe

Loads dropped DLL 2 IoCs

pid	Process
2036	362e2a76a5a851dde0dd6f29a07846343170a7a36cf5305e1b4cd4973278b60e.exe
2036	362e2a76a5a851dde0dd6f29a07846343170a7a36cf5305e1b4cd4973278b60e.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	Avywuixyxmexxtr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*CryptoLocker = "C:\\Users\\Admin\\AppData\\Local\\Avywuixyxmexxtr.exe"	Avywuixyxmexxtr.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run	Avywuixyxmexxtr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\CryptoLocker = "C:\\Users\\Admin\\AppData\\Local\\Avywuixyxmexxtr.exe"	Avywuixyxmexxtr.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 1160	2036	362e2a76a5a851dde0dd6f29a07846343170a7a36cf5305e1b4cd4973278b60e.exe	26
PID 2036 wrote to memory of 1160	2036	362e2a76a5a851dde0dd6f29a07846343170a7a36cf5305e1b4cd4973278b60e.exe	26
PID 2036 wrote to memory of 1160	2036	362e2a76a5a851dde0dd6f29a07846343170a7a36cf5305e1b4cd4973278b60e.exe	26
PID 2036 wrote to memory of 1160	2036	362e2a76a5a851dde0dd6f29a07846343170a7a36cf5305e1b4cd4973278b60e.exe	26
PID 1160 wrote to memory of 956	1160	Avywuixyxmexxtr.exe	27
PID 1160 wrote to memory of 956	1160	Avywuixyxmexxtr.exe	27
PID 1160 wrote to memory of 956	1160	Avywuixyxmexxtr.exe	27
PID 1160 wrote to memory of 956	1160	Avywuixyxmexxtr.exe	27

C:\Users\Admin\AppData\Local\Temp\362e2a76a5a851dde0dd6f29a07846343170a7a36cf5305e1b4cd4973278b60e.exe
"C:\Users\Admin\AppData\Local\Temp\362e2a76a5a851dde0dd6f29a07846343170a7a36cf5305e1b4cd4973278b60e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Users\Admin\AppData\Local\Avywuixyxmexxtr.exe
  "C:\Users\Admin\AppData\Local\Avywuixyxmexxtr.exe" "-rC:\Users\Admin\AppData\Local\Temp\362e2a76a5a851dde0dd6f29a07846343170a7a36cf5305e1b4cd4973278b60e.exe"
  2⤵
  - Executes dropped EXE
  - Deletes itself
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1160
- - C:\Users\Admin\AppData\Local\Avywuixyxmexxtr.exe
    "C:\Users\Admin\AppData\Local\Avywuixyxmexxtr.exe" -w12c
    3⤵
    - Executes dropped EXE
    PID:956

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Avywuixyxmexxtr.exe

Filesize
736KB

MD5
a09aac1c1901f88e3bc87430d028718d

SHA1
5a63efde486b7f6d8c78b606bd02a07769a7b3b3

SHA256
362e2a76a5a851dde0dd6f29a07846343170a7a36cf5305e1b4cd4973278b60e

SHA512
b1f11873196dbb49a55ad41fd54bc342e93b0185bff30bd03c6bd10dbad930a0cda30c69c34df03fecba34e08a2854675f8adb49c6ab58f05e6a769a16de315b

Download Submit
C:\Users\Admin\AppData\Local\Avywuixyxmexxtr.exe

Filesize
736KB

MD5
a09aac1c1901f88e3bc87430d028718d

SHA1
5a63efde486b7f6d8c78b606bd02a07769a7b3b3

SHA256
362e2a76a5a851dde0dd6f29a07846343170a7a36cf5305e1b4cd4973278b60e

SHA512
b1f11873196dbb49a55ad41fd54bc342e93b0185bff30bd03c6bd10dbad930a0cda30c69c34df03fecba34e08a2854675f8adb49c6ab58f05e6a769a16de315b

Download Submit
C:\Users\Admin\AppData\Local\Avywuixyxmexxtr.exe

Filesize
736KB

MD5
a09aac1c1901f88e3bc87430d028718d

SHA1
5a63efde486b7f6d8c78b606bd02a07769a7b3b3

SHA256
362e2a76a5a851dde0dd6f29a07846343170a7a36cf5305e1b4cd4973278b60e

SHA512
b1f11873196dbb49a55ad41fd54bc342e93b0185bff30bd03c6bd10dbad930a0cda30c69c34df03fecba34e08a2854675f8adb49c6ab58f05e6a769a16de315b

Download Submit
\Users\Admin\AppData\Local\Avywuixyxmexxtr.exe

Filesize
736KB

MD5
a09aac1c1901f88e3bc87430d028718d

SHA1
5a63efde486b7f6d8c78b606bd02a07769a7b3b3

SHA256
362e2a76a5a851dde0dd6f29a07846343170a7a36cf5305e1b4cd4973278b60e

SHA512
b1f11873196dbb49a55ad41fd54bc342e93b0185bff30bd03c6bd10dbad930a0cda30c69c34df03fecba34e08a2854675f8adb49c6ab58f05e6a769a16de315b

Download Submit
\Users\Admin\AppData\Local\Avywuixyxmexxtr.exe

Filesize
736KB

MD5
a09aac1c1901f88e3bc87430d028718d

SHA1
5a63efde486b7f6d8c78b606bd02a07769a7b3b3

SHA256
362e2a76a5a851dde0dd6f29a07846343170a7a36cf5305e1b4cd4973278b60e

SHA512
b1f11873196dbb49a55ad41fd54bc342e93b0185bff30bd03c6bd10dbad930a0cda30c69c34df03fecba34e08a2854675f8adb49c6ab58f05e6a769a16de315b

Download Submit
memory/956-70-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/1160-63-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/2036-54-0x0000000076151000-0x0000000076153000-memory.dmp

Filesize
8KB

Download
memory/2036-55-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download

Analysis

Sharing