cryptolocker | 001b7a11497faa75fd8b490b03d99152ef9779606028a421b7760415da27ca5d

General

Target

001b7a11497faa75fd8b490b03d99152ef9779606028a421b7760415da27ca5d.exe
Size

519KB
MD5

3655ea01660a35a03f33b064caff5079
SHA1

4dbb86e2b954106a3e7fec387039d8fbee49525d
SHA256

001b7a11497faa75fd8b490b03d99152ef9779606028a421b7760415da27ca5d
SHA512

398d28681fb149f164677e0cb0a08c331716f4799b7909fdab0dcdadd27b798d78d7c5abd1788b9f79140735f0a15d4a963a3719a75d4dfa6ac233ea0538284d
SSDEEP

12288:X1NyA4TV5nMEv2C0Ae+9kPv3vNEejphL7ELecctvU7QSP73M7bqPG:veTV5nMf+xAyej/L74oQX3MgG

Score

10^/10

cryptolocker persistence ransomware

Malware Config

Signatures

CryptoLocker
Ransomware family with multiple variants.
ransomware cryptolocker
Executes dropped EXE 3 IoCs

Processes:

{71257279-042b-371d-a1d3-fbf8d2fadffa}.exe{34184A33-0407-212E-3320-09040709E2C2}.exe{34184A33-0407-212E-3320-09040709E2C2}.exe

pid process

320 {71257279-042b-371d-a1d3-fbf8d2fadffa}.exe
1048 {34184A33-0407-212E-3320-09040709E2C2}.exe
2004 {34184A33-0407-212E-3320-09040709E2C2}.exe
Loads dropped DLL 2 IoCs

Processes:

001b7a11497faa75fd8b490b03d99152ef9779606028a421b7760415da27ca5d.exe{71257279-042b-371d-a1d3-fbf8d2fadffa}.exe

pid process

1872 001b7a11497faa75fd8b490b03d99152ef9779606028a421b7760415da27ca5d.exe
320 {71257279-042b-371d-a1d3-fbf8d2fadffa}.exe

pid	process
320	{71257279-042b-371d-a1d3-fbf8d2fadffa}.exe
1048	{34184A33-0407-212E-3320-09040709E2C2}.exe
2004	{34184A33-0407-212E-3320-09040709E2C2}.exe

pid	process
1872	001b7a11497faa75fd8b490b03d99152ef9779606028a421b7760415da27ca5d.exe
320	{71257279-042b-371d-a1d3-fbf8d2fadffa}.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

{34184A33-0407-212E-3320-09040709E2C2}.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run	{34184A33-0407-212E-3320-09040709E2C2}.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\CryptoLocker = "C:\\Users\\Admin\\AppData\\Roaming\\{34184A33-0407-212E-3320-09040709E2C2}.exe"	{34184A33-0407-212E-3320-09040709E2C2}.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

1168 AcroRd32.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

AcroRd32.exe

pid process

1168 AcroRd32.exe
1168 AcroRd32.exe
1168 AcroRd32.exe

pid	process
1168	AcroRd32.exe

pid	process
1168	AcroRd32.exe
1168	AcroRd32.exe
1168	AcroRd32.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

001b7a11497faa75fd8b490b03d99152ef9779606028a421b7760415da27ca5d.exe{71257279-042b-371d-a1d3-fbf8d2fadffa}.exe{34184A33-0407-212E-3320-09040709E2C2}.exe

description	pid	process	target process
PID 1872 wrote to memory of 320	1872	001b7a11497faa75fd8b490b03d99152ef9779606028a421b7760415da27ca5d.exe	{71257279-042b-371d-a1d3-fbf8d2fadffa}.exe
PID 1872 wrote to memory of 320	1872	001b7a11497faa75fd8b490b03d99152ef9779606028a421b7760415da27ca5d.exe	{71257279-042b-371d-a1d3-fbf8d2fadffa}.exe
PID 1872 wrote to memory of 320	1872	001b7a11497faa75fd8b490b03d99152ef9779606028a421b7760415da27ca5d.exe	{71257279-042b-371d-a1d3-fbf8d2fadffa}.exe
PID 1872 wrote to memory of 320	1872	001b7a11497faa75fd8b490b03d99152ef9779606028a421b7760415da27ca5d.exe	{71257279-042b-371d-a1d3-fbf8d2fadffa}.exe
PID 1872 wrote to memory of 1168	1872	001b7a11497faa75fd8b490b03d99152ef9779606028a421b7760415da27ca5d.exe	AcroRd32.exe
PID 1872 wrote to memory of 1168	1872	001b7a11497faa75fd8b490b03d99152ef9779606028a421b7760415da27ca5d.exe	AcroRd32.exe
PID 1872 wrote to memory of 1168	1872	001b7a11497faa75fd8b490b03d99152ef9779606028a421b7760415da27ca5d.exe	AcroRd32.exe
PID 1872 wrote to memory of 1168	1872	001b7a11497faa75fd8b490b03d99152ef9779606028a421b7760415da27ca5d.exe	AcroRd32.exe
PID 320 wrote to memory of 1048	320	{71257279-042b-371d-a1d3-fbf8d2fadffa}.exe	{34184A33-0407-212E-3320-09040709E2C2}.exe
PID 320 wrote to memory of 1048	320	{71257279-042b-371d-a1d3-fbf8d2fadffa}.exe	{34184A33-0407-212E-3320-09040709E2C2}.exe
PID 320 wrote to memory of 1048	320	{71257279-042b-371d-a1d3-fbf8d2fadffa}.exe	{34184A33-0407-212E-3320-09040709E2C2}.exe
PID 320 wrote to memory of 1048	320	{71257279-042b-371d-a1d3-fbf8d2fadffa}.exe	{34184A33-0407-212E-3320-09040709E2C2}.exe
PID 1048 wrote to memory of 2004	1048	{34184A33-0407-212E-3320-09040709E2C2}.exe	{34184A33-0407-212E-3320-09040709E2C2}.exe
PID 1048 wrote to memory of 2004	1048	{34184A33-0407-212E-3320-09040709E2C2}.exe	{34184A33-0407-212E-3320-09040709E2C2}.exe
PID 1048 wrote to memory of 2004	1048	{34184A33-0407-212E-3320-09040709E2C2}.exe	{34184A33-0407-212E-3320-09040709E2C2}.exe
PID 1048 wrote to memory of 2004	1048	{34184A33-0407-212E-3320-09040709E2C2}.exe	{34184A33-0407-212E-3320-09040709E2C2}.exe

C:\Users\Admin\AppData\Local\Temp\001b7a11497faa75fd8b490b03d99152ef9779606028a421b7760415da27ca5d.exe
"C:\Users\Admin\AppData\Local\Temp\001b7a11497faa75fd8b490b03d99152ef9779606028a421b7760415da27ca5d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1872
- C:\Users\Admin\AppData\Local\Temp\{71257279-042b-371d-a1d3-fbf8d2fadffa}.exe
  "C:\Users\Admin\AppData\Local\Temp\{71257279-042b-371d-a1d3-fbf8d2fadffa}.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:320
- - C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
    "C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" "/rC:\Users\Admin\AppData\Local\Temp\{71257279-042b-371d-a1d3-fbf8d2fadffa}.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1048
  - - C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
      "C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w000000C8
      4⤵
      Executes dropped EXE
      PID:2004
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Email.pdf"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:1168

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Email.pdf

Filesize
14B

MD5
41e86c2b6c58b19f23c528e49b0cccd3

SHA1
151e373b7e9e7db55c51ef6e1576f7fc1945dd88

SHA256
1f21a2b7f1ed54c31749d69eef98c317ab3ad4f6c5f8701b021c6fa04ea2f2f6

SHA512
d75642888b27357f12a86352ba2593a91dcc72b6d9ede4f4d0b3420fa53f734176b0046edb6be8832c6a8f7d6fbf5f2dc97cc2ca578b28ae1d18190cb921258b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{71257279-042b-371d-a1d3-fbf8d2fadffa}.exe

Filesize
336KB

MD5
13b25d5795762b82e30501f116ca736e

SHA1
a80835acfcf8542765223357546cce2ad9a406ce

SHA256
86f4fac36bc44b5accc435614bb8ad535ab815c0002925406e395bbbbe448930

SHA512
00743d35ac8fd2af092d610aa27b691620bb415bb39f66b74ba4bb7dde5ffd32a4a79ad3cb4f4d263f79cd2c53a4152639c6763fa447da4ca2a08da30c528aba

Download Submit
C:\Users\Admin\AppData\Local\Temp\{71257279-042b-371d-a1d3-fbf8d2fadffa}.exe

Filesize
336KB

MD5
13b25d5795762b82e30501f116ca736e

SHA1
a80835acfcf8542765223357546cce2ad9a406ce

SHA256
86f4fac36bc44b5accc435614bb8ad535ab815c0002925406e395bbbbe448930

SHA512
00743d35ac8fd2af092d610aa27b691620bb415bb39f66b74ba4bb7dde5ffd32a4a79ad3cb4f4d263f79cd2c53a4152639c6763fa447da4ca2a08da30c528aba

Download Submit
C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe

Filesize
336KB

MD5
13b25d5795762b82e30501f116ca736e

SHA1
a80835acfcf8542765223357546cce2ad9a406ce

SHA256
86f4fac36bc44b5accc435614bb8ad535ab815c0002925406e395bbbbe448930

SHA512
00743d35ac8fd2af092d610aa27b691620bb415bb39f66b74ba4bb7dde5ffd32a4a79ad3cb4f4d263f79cd2c53a4152639c6763fa447da4ca2a08da30c528aba

Download Submit
C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe

Filesize
336KB

MD5
13b25d5795762b82e30501f116ca736e

SHA1
a80835acfcf8542765223357546cce2ad9a406ce

SHA256
86f4fac36bc44b5accc435614bb8ad535ab815c0002925406e395bbbbe448930

SHA512
00743d35ac8fd2af092d610aa27b691620bb415bb39f66b74ba4bb7dde5ffd32a4a79ad3cb4f4d263f79cd2c53a4152639c6763fa447da4ca2a08da30c528aba

Download Submit
\Users\Admin\AppData\Local\Temp\{71257279-042b-371d-a1d3-fbf8d2fadffa}.exe

Filesize
336KB

MD5
13b25d5795762b82e30501f116ca736e

SHA1
a80835acfcf8542765223357546cce2ad9a406ce

SHA256
86f4fac36bc44b5accc435614bb8ad535ab815c0002925406e395bbbbe448930

SHA512
00743d35ac8fd2af092d610aa27b691620bb415bb39f66b74ba4bb7dde5ffd32a4a79ad3cb4f4d263f79cd2c53a4152639c6763fa447da4ca2a08da30c528aba

Download Submit
\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe

Filesize
336KB

MD5
13b25d5795762b82e30501f116ca736e

SHA1
a80835acfcf8542765223357546cce2ad9a406ce

SHA256
86f4fac36bc44b5accc435614bb8ad535ab815c0002925406e395bbbbe448930

SHA512
00743d35ac8fd2af092d610aa27b691620bb415bb39f66b74ba4bb7dde5ffd32a4a79ad3cb4f4d263f79cd2c53a4152639c6763fa447da4ca2a08da30c528aba

Download Submit
memory/320-57-0x0000000000000000-mapping.dmp

Download
memory/1048-64-0x0000000000000000-mapping.dmp

Download
memory/1168-60-0x0000000000000000-mapping.dmp

Download
memory/1872-54-0x0000000075EC1000-0x0000000075EC3000-memory.dmp

Filesize
8KB

Download
memory/1872-69-0x0000000074EA0000-0x000000007544B000-memory.dmp

Filesize
5.7MB

Download
memory/1872-55-0x0000000074EA0000-0x000000007544B000-memory.dmp

Filesize
5.7MB

Download
memory/2004-67-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing