cryptolocker | 724799e37d6b47dc099caea7aabb0c1246a5041537d425601639d551e42bd425

General

Target

724799e37d6b47dc099caea7aabb0c1246a5041537d425601639d551e42bd425.exe
Size

352KB
MD5

a93d75cb6f72c1847c3f5afc9c94bbbb
SHA1

016409e124f98d565c5a5fa3d3b2428152259df7
SHA256

724799e37d6b47dc099caea7aabb0c1246a5041537d425601639d551e42bd425
SHA512

ad79d2f68b0b2036794bd047256ed8f9eccd497db7701b5f1b80e7b4388a28774edfa50abf846427aa81b833c0cd970dcd4bd468b05f5d943f5a8f1baa2c00f5
SSDEEP

6144:Y3Q7OlkZayQFnE0oqCtBK/OLyUsn07wWQshOBqSTeaybz+ffB:v/rWZoqf/OCPIOMj1P+

Score

10^/10

cryptolocker persistence ransomware

Malware Config

Signatures

CryptoLocker
Ransomware family with multiple variants.
ransomware cryptolocker
Executes dropped EXE 2 IoCs

Processes:

Avywuixyxmexxtr.exeAvywuixyxmexxtr.exe

pid process

112 Avywuixyxmexxtr.exe
1068 Avywuixyxmexxtr.exe
Deletes itself 1 IoCs

Processes:

Avywuixyxmexxtr.exe

pid process

112 Avywuixyxmexxtr.exe
Loads dropped DLL 1 IoCs

Processes:

724799e37d6b47dc099caea7aabb0c1246a5041537d425601639d551e42bd425.exe

pid process

1888 724799e37d6b47dc099caea7aabb0c1246a5041537d425601639d551e42bd425.exe

pid	process
112	Avywuixyxmexxtr.exe
1068	Avywuixyxmexxtr.exe

pid	process
112	Avywuixyxmexxtr.exe

pid	process
1888	724799e37d6b47dc099caea7aabb0c1246a5041537d425601639d551e42bd425.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Avywuixyxmexxtr.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\CryptoLocker = "C:\\Users\\Admin\\AppData\\Local\\Avywuixyxmexxtr.exe"	Avywuixyxmexxtr.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	Avywuixyxmexxtr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*CryptoLocker = "C:\\Users\\Admin\\AppData\\Local\\Avywuixyxmexxtr.exe"	Avywuixyxmexxtr.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run	Avywuixyxmexxtr.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

724799e37d6b47dc099caea7aabb0c1246a5041537d425601639d551e42bd425.exeAvywuixyxmexxtr.exe

description	pid	process	target process
PID 1888 wrote to memory of 112	1888	724799e37d6b47dc099caea7aabb0c1246a5041537d425601639d551e42bd425.exe	Avywuixyxmexxtr.exe
PID 1888 wrote to memory of 112	1888	724799e37d6b47dc099caea7aabb0c1246a5041537d425601639d551e42bd425.exe	Avywuixyxmexxtr.exe
PID 1888 wrote to memory of 112	1888	724799e37d6b47dc099caea7aabb0c1246a5041537d425601639d551e42bd425.exe	Avywuixyxmexxtr.exe
PID 1888 wrote to memory of 112	1888	724799e37d6b47dc099caea7aabb0c1246a5041537d425601639d551e42bd425.exe	Avywuixyxmexxtr.exe
PID 112 wrote to memory of 1068	112	Avywuixyxmexxtr.exe	Avywuixyxmexxtr.exe
PID 112 wrote to memory of 1068	112	Avywuixyxmexxtr.exe	Avywuixyxmexxtr.exe
PID 112 wrote to memory of 1068	112	Avywuixyxmexxtr.exe	Avywuixyxmexxtr.exe
PID 112 wrote to memory of 1068	112	Avywuixyxmexxtr.exe	Avywuixyxmexxtr.exe

C:\Users\Admin\AppData\Local\Temp\724799e37d6b47dc099caea7aabb0c1246a5041537d425601639d551e42bd425.exe
"C:\Users\Admin\AppData\Local\Temp\724799e37d6b47dc099caea7aabb0c1246a5041537d425601639d551e42bd425.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1888
- C:\Users\Admin\AppData\Local\Avywuixyxmexxtr.exe
  "C:\Users\Admin\AppData\Local\Avywuixyxmexxtr.exe" "-rC:\Users\Admin\AppData\Local\Temp\724799e37d6b47dc099caea7aabb0c1246a5041537d425601639d551e42bd425.exe"
  2⤵
  - Executes dropped EXE
  - Deletes itself
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:112
- - C:\Users\Admin\AppData\Local\Avywuixyxmexxtr.exe
    "C:\Users\Admin\AppData\Local\Avywuixyxmexxtr.exe" -w11c
    3⤵
    - Executes dropped EXE
    PID:1068

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Avywuixyxmexxtr.exe

Filesize
352KB

MD5
a93d75cb6f72c1847c3f5afc9c94bbbb

SHA1
016409e124f98d565c5a5fa3d3b2428152259df7

SHA256
724799e37d6b47dc099caea7aabb0c1246a5041537d425601639d551e42bd425

SHA512
ad79d2f68b0b2036794bd047256ed8f9eccd497db7701b5f1b80e7b4388a28774edfa50abf846427aa81b833c0cd970dcd4bd468b05f5d943f5a8f1baa2c00f5

Download Submit
C:\Users\Admin\AppData\Local\Avywuixyxmexxtr.exe

Filesize
352KB

MD5
a93d75cb6f72c1847c3f5afc9c94bbbb

SHA1
016409e124f98d565c5a5fa3d3b2428152259df7

SHA256
724799e37d6b47dc099caea7aabb0c1246a5041537d425601639d551e42bd425

SHA512
ad79d2f68b0b2036794bd047256ed8f9eccd497db7701b5f1b80e7b4388a28774edfa50abf846427aa81b833c0cd970dcd4bd468b05f5d943f5a8f1baa2c00f5

Download Submit
C:\Users\Admin\AppData\Local\Avywuixyxmexxtr.exe

Filesize
352KB

MD5
a93d75cb6f72c1847c3f5afc9c94bbbb

SHA1
016409e124f98d565c5a5fa3d3b2428152259df7

SHA256
724799e37d6b47dc099caea7aabb0c1246a5041537d425601639d551e42bd425

SHA512
ad79d2f68b0b2036794bd047256ed8f9eccd497db7701b5f1b80e7b4388a28774edfa50abf846427aa81b833c0cd970dcd4bd468b05f5d943f5a8f1baa2c00f5

Download Submit
\Users\Admin\AppData\Local\Avywuixyxmexxtr.exe

Filesize
352KB

MD5
a93d75cb6f72c1847c3f5afc9c94bbbb

SHA1
016409e124f98d565c5a5fa3d3b2428152259df7

SHA256
724799e37d6b47dc099caea7aabb0c1246a5041537d425601639d551e42bd425

SHA512
ad79d2f68b0b2036794bd047256ed8f9eccd497db7701b5f1b80e7b4388a28774edfa50abf846427aa81b833c0cd970dcd4bd468b05f5d943f5a8f1baa2c00f5

Download Submit
memory/112-65-0x0000000000280000-0x00000000002E5000-memory.dmp

Filesize
404KB

Download
memory/112-58-0x0000000000000000-mapping.dmp

Download
memory/112-64-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1068-63-0x0000000000000000-mapping.dmp

Download
memory/1068-69-0x0000000000290000-0x00000000002F5000-memory.dmp

Filesize
404KB

Download
memory/1068-68-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1888-60-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1888-56-0x0000000000230000-0x0000000000295000-memory.dmp

Filesize
404KB

Download
memory/1888-54-0x00000000757E1000-0x00000000757E3000-memory.dmp

Filesize
8KB

Download
memory/1888-55-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download

Analysis

Sharing