cryptolocker | 76487462acfa06bc90bda7d72bee7f88ea2e70d838a50d9012362958ad93f02a

General

Target

76487462acfa06bc90bda7d72bee7f88ea2e70d838a50d9012362958ad93f02a.exe
Size

726KB
MD5

e9cd494b249cea7b968fa89f1e7d40de
SHA1

fd514fe256f815cfecf67fb57e16d106443d90dc
SHA256

76487462acfa06bc90bda7d72bee7f88ea2e70d838a50d9012362958ad93f02a
SHA512

2689268a8fd96fa0e9b65f245bb3ab4ca860e7aa017e930c14d58bbe0ffc52ecb050de43865ebd8b7ff56270075d4a071caed81dff3c4d01c482d183482ff53a
SSDEEP

12288:xBnDWIk+GOifTjyBImx5MKJ5nJDLWrutVPIEwSdbE0HD1s:x5Vk+vibuIm8qZJfWyPwENdf

Score

10^/10

cryptolocker persistence ransomware

Malware Config

Signatures

CryptoLocker
Ransomware family with multiple variants.
ransomware cryptolocker

Executes dropped EXE 2 IoCs

pid	Process
1352	Wawbmdknpbal.exe
1620	Wawbmdknpbal.exe

Deletes itself 1 IoCs

pid	Process
1352	Wawbmdknpbal.exe

Loads dropped DLL 2 IoCs

pid	Process
1388	76487462acfa06bc90bda7d72bee7f88ea2e70d838a50d9012362958ad93f02a.exe
1388	76487462acfa06bc90bda7d72bee7f88ea2e70d838a50d9012362958ad93f02a.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run	Wawbmdknpbal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\CryptoLocker = "C:\\Users\\Admin\\AppData\\Roaming\\Wawbmdknpbal.exe"	Wawbmdknpbal.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	Wawbmdknpbal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*CryptoLocker = "C:\\Users\\Admin\\AppData\\Roaming\\Wawbmdknpbal.exe"	Wawbmdknpbal.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1388 wrote to memory of 1352	1388	76487462acfa06bc90bda7d72bee7f88ea2e70d838a50d9012362958ad93f02a.exe	26
PID 1388 wrote to memory of 1352	1388	76487462acfa06bc90bda7d72bee7f88ea2e70d838a50d9012362958ad93f02a.exe	26
PID 1388 wrote to memory of 1352	1388	76487462acfa06bc90bda7d72bee7f88ea2e70d838a50d9012362958ad93f02a.exe	26
PID 1388 wrote to memory of 1352	1388	76487462acfa06bc90bda7d72bee7f88ea2e70d838a50d9012362958ad93f02a.exe	26
PID 1352 wrote to memory of 1620	1352	Wawbmdknpbal.exe	27
PID 1352 wrote to memory of 1620	1352	Wawbmdknpbal.exe	27
PID 1352 wrote to memory of 1620	1352	Wawbmdknpbal.exe	27
PID 1352 wrote to memory of 1620	1352	Wawbmdknpbal.exe	27

C:\Users\Admin\AppData\Local\Temp\76487462acfa06bc90bda7d72bee7f88ea2e70d838a50d9012362958ad93f02a.exe
"C:\Users\Admin\AppData\Local\Temp\76487462acfa06bc90bda7d72bee7f88ea2e70d838a50d9012362958ad93f02a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1388
- C:\Users\Admin\AppData\Roaming\Wawbmdknpbal.exe
  "C:\Users\Admin\AppData\Roaming\Wawbmdknpbal.exe" "/rC:\Users\Admin\AppData\Local\Temp\76487462acfa06bc90bda7d72bee7f88ea2e70d838a50d9012362958ad93f02a.exe"
  2⤵
  - Executes dropped EXE
  - Deletes itself
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1352
- - C:\Users\Admin\AppData\Roaming\Wawbmdknpbal.exe
    "C:\Users\Admin\AppData\Roaming\Wawbmdknpbal.exe" /w0000011C
    3⤵
    - Executes dropped EXE
    PID:1620

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Wawbmdknpbal.exe

Filesize
726KB

MD5
e9cd494b249cea7b968fa89f1e7d40de

SHA1
fd514fe256f815cfecf67fb57e16d106443d90dc

SHA256
76487462acfa06bc90bda7d72bee7f88ea2e70d838a50d9012362958ad93f02a

SHA512
2689268a8fd96fa0e9b65f245bb3ab4ca860e7aa017e930c14d58bbe0ffc52ecb050de43865ebd8b7ff56270075d4a071caed81dff3c4d01c482d183482ff53a

Download Submit
C:\Users\Admin\AppData\Roaming\Wawbmdknpbal.exe

Filesize
726KB

MD5
e9cd494b249cea7b968fa89f1e7d40de

SHA1
fd514fe256f815cfecf67fb57e16d106443d90dc

SHA256
76487462acfa06bc90bda7d72bee7f88ea2e70d838a50d9012362958ad93f02a

SHA512
2689268a8fd96fa0e9b65f245bb3ab4ca860e7aa017e930c14d58bbe0ffc52ecb050de43865ebd8b7ff56270075d4a071caed81dff3c4d01c482d183482ff53a

Download Submit
C:\Users\Admin\AppData\Roaming\Wawbmdknpbal.exe

Filesize
726KB

MD5
e9cd494b249cea7b968fa89f1e7d40de

SHA1
fd514fe256f815cfecf67fb57e16d106443d90dc

SHA256
76487462acfa06bc90bda7d72bee7f88ea2e70d838a50d9012362958ad93f02a

SHA512
2689268a8fd96fa0e9b65f245bb3ab4ca860e7aa017e930c14d58bbe0ffc52ecb050de43865ebd8b7ff56270075d4a071caed81dff3c4d01c482d183482ff53a

Download Submit
\Users\Admin\AppData\Roaming\Wawbmdknpbal.exe

Filesize
726KB

MD5
e9cd494b249cea7b968fa89f1e7d40de

SHA1
fd514fe256f815cfecf67fb57e16d106443d90dc

SHA256
76487462acfa06bc90bda7d72bee7f88ea2e70d838a50d9012362958ad93f02a

SHA512
2689268a8fd96fa0e9b65f245bb3ab4ca860e7aa017e930c14d58bbe0ffc52ecb050de43865ebd8b7ff56270075d4a071caed81dff3c4d01c482d183482ff53a

Download Submit
\Users\Admin\AppData\Roaming\Wawbmdknpbal.exe

Filesize
726KB

MD5
e9cd494b249cea7b968fa89f1e7d40de

SHA1
fd514fe256f815cfecf67fb57e16d106443d90dc

SHA256
76487462acfa06bc90bda7d72bee7f88ea2e70d838a50d9012362958ad93f02a

SHA512
2689268a8fd96fa0e9b65f245bb3ab4ca860e7aa017e930c14d58bbe0ffc52ecb050de43865ebd8b7ff56270075d4a071caed81dff3c4d01c482d183482ff53a

Download Submit
memory/1352-63-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/1388-54-0x00000000768A1000-0x00000000768A3000-memory.dmp

Filesize
8KB

Download
memory/1388-55-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/1620-70-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download

Analysis

Sharing