cryptolocker | ab097e8b19ec166a2ff65d10ab06a8d572216cee2b0c44ebe183a8cb60b2bae7

General

Target

0a92daa19f2cc77a21cdbf8db6d8bb68.exe
Size

684KB
MD5

0a92daa19f2cc77a21cdbf8db6d8bb68
SHA1

2074cf815217641a38f5243b8d35bc4e74ec8d31
SHA256

ab097e8b19ec166a2ff65d10ab06a8d572216cee2b0c44ebe183a8cb60b2bae7
SHA512

3c4f44578df40d952df7330ed9ab6e7df14a2332a864a894e1c34215ad4e4399f9959bf53c60c8e98de15d806630e2a72d622d2eeced3eac22d579fb0f9f45ec
SSDEEP

12288:gysoBJKquCdZ6hMDi2WgjbA+Jyrd/PaL7hc4cQFGI:GYJKqNdlDi2WOJMdea4vGI

Score

10^/10

cryptolocker persistence ransomware

Malware Config

Signatures

CryptoLocker
Ransomware family with multiple variants.
ransomware cryptolocker
Deletes itself 1 IoCs

Processes:

Avywuixyxmexxtr.exe

pid process

2856 Avywuixyxmexxtr.exe
Executes dropped EXE 2 IoCs

Processes:

Avywuixyxmexxtr.exeAvywuixyxmexxtr.exe

pid process

2856 Avywuixyxmexxtr.exe
2604 Avywuixyxmexxtr.exe
Loads dropped DLL 3 IoCs

Processes:

0a92daa19f2cc77a21cdbf8db6d8bb68.exeAvywuixyxmexxtr.exe

pid process

2932 0a92daa19f2cc77a21cdbf8db6d8bb68.exe
2932 0a92daa19f2cc77a21cdbf8db6d8bb68.exe
2856 Avywuixyxmexxtr.exe

pid	process
2856	Avywuixyxmexxtr.exe

pid	process
2856	Avywuixyxmexxtr.exe
2604	Avywuixyxmexxtr.exe

pid	process
2932	0a92daa19f2cc77a21cdbf8db6d8bb68.exe
2932	0a92daa19f2cc77a21cdbf8db6d8bb68.exe
2856	Avywuixyxmexxtr.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Avywuixyxmexxtr.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\CryptoLocker = "C:\\Users\\Admin\\AppData\\Local\\Avywuixyxmexxtr.exe"	Avywuixyxmexxtr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*CryptoLocker = "C:\\Users\\Admin\\AppData\\Local\\Avywuixyxmexxtr.exe"	Avywuixyxmexxtr.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

0a92daa19f2cc77a21cdbf8db6d8bb68.exeAvywuixyxmexxtr.exe

description	pid	process	target process
PID 2932 wrote to memory of 2856	2932	0a92daa19f2cc77a21cdbf8db6d8bb68.exe	Avywuixyxmexxtr.exe
PID 2932 wrote to memory of 2856	2932	0a92daa19f2cc77a21cdbf8db6d8bb68.exe	Avywuixyxmexxtr.exe
PID 2932 wrote to memory of 2856	2932	0a92daa19f2cc77a21cdbf8db6d8bb68.exe	Avywuixyxmexxtr.exe
PID 2932 wrote to memory of 2856	2932	0a92daa19f2cc77a21cdbf8db6d8bb68.exe	Avywuixyxmexxtr.exe
PID 2856 wrote to memory of 2604	2856	Avywuixyxmexxtr.exe	Avywuixyxmexxtr.exe
PID 2856 wrote to memory of 2604	2856	Avywuixyxmexxtr.exe	Avywuixyxmexxtr.exe
PID 2856 wrote to memory of 2604	2856	Avywuixyxmexxtr.exe	Avywuixyxmexxtr.exe
PID 2856 wrote to memory of 2604	2856	Avywuixyxmexxtr.exe	Avywuixyxmexxtr.exe

C:\Users\Admin\AppData\Local\Temp\0a92daa19f2cc77a21cdbf8db6d8bb68.exe
"C:\Users\Admin\AppData\Local\Temp\0a92daa19f2cc77a21cdbf8db6d8bb68.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Users\Admin\AppData\Local\Avywuixyxmexxtr.exe
  "C:\Users\Admin\AppData\Local\Avywuixyxmexxtr.exe" "-rC:\Users\Admin\AppData\Local\Temp\0a92daa19f2cc77a21cdbf8db6d8bb68.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2856

C:\Users\Admin\AppData\Local\Avywuixyxmexxtr.exe
"C:\Users\Admin\AppData\Local\Avywuixyxmexxtr.exe" -w124
1⤵
- Executes dropped EXE
PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Avywuixyxmexxtr.exe

Filesize
35KB

MD5
fac77e9b0e6c8b801cd5e37a1497448f

SHA1
e9d5f071d65a71f02e125a30e50bb77eb6922b5b

SHA256
caf2425faea6a41258ea939b7b1b2b568bd4d70a7f5bbd3758f2fe97fbed991f

SHA512
d91950ef9393aaad033e1c4f8ce73d0ec39860bf1f51441280d3b3e19fa054d607b97f378068422e2b9393dadcf21b2bd01ea2715bb752c4340c7532fe6ce9a9

Download Submit
C:\Users\Admin\AppData\Local\Avywuixyxmexxtr.exe

Filesize
68KB

MD5
e1c7fbb713e26f35243e773b750ae15a

SHA1
10e50045b83a17ec0cb5c8a8c93368843df5b014

SHA256
1ebe184cf2407d9d46c1f2f8851024f0e56f70e73f0b03c073ec8b4a8925cb7d

SHA512
a2ac707ebfb71701cc18635091f64f20d4b9e74deac71ffca6ab17e2425fb4ef43332d8c949aa90e3b6b27be3243251792ae8b6854f3c809e3f1a725ff2b15d0

Download Submit
C:\Users\Admin\AppData\Local\Avywuixyxmexxtr.exe

Filesize
49KB

MD5
cd9a2f22ab3e9f6121f60a9c16c3f9ac

SHA1
551ae80a3724ea8cc50a5abe4fda0eea7ff849de

SHA256
03d310a780b3a95ab6cfdceb85511601bbdee75029232943de0729cbbd504cfa

SHA512
9cb0d9972e277bf19a31532dc821820377326d823db5c8e4edf44ad4eb5f72c5a574ad0ec8add3cf40962681e070b33033187471bd76026abdfa156adb62756a

Download Submit
C:\Users\Admin\AppData\Local\Avywuixyxmexxtr.exe

Filesize
59KB

MD5
37e13abc9cc8aeb2de1c654ee8a3eb6e

SHA1
41d5172259879c9154a71f3b8a26c8f2cc3bc930

SHA256
c54350dea2ca6794edcc1b6b31e35129f3158d4bd5af76d8075d05844381c8dd

SHA512
d19a087203792a8ffcd8b7ed46829b5ac9537dd0329b23274aef25834d64bd6199c690578d31f80e02b11e9258cde4d4fb3f8f42dceaa2c546792f8c01ed6d44

Download Submit
\Users\Admin\AppData\Local\Avywuixyxmexxtr.exe

Filesize
37KB

MD5
b2cc1a2583581d4101fe02de62b8a6f5

SHA1
976c665cb435e3d05553eb26dc3a5122a5796c38

SHA256
ffacd75c43d49d79946a1604e42f79d826dff26c51d9ed5371217db20d489a6b

SHA512
07933be2f876605805ceb3394a796f9bb281e4895cfef7a258ec47a7e090a091934f869bb4c99e86878fcd5442a49b39bad2b228b9869b2ac453ddf5054110e7

Download Submit
\Users\Admin\AppData\Local\Avywuixyxmexxtr.exe

Filesize
56KB

MD5
544425336852a05e1a59f0b53c1174ab

SHA1
31dd320eaeac6641d307c82faedee29af239041c

SHA256
e5df629fa87faf7ab9d249242b61b9c4d1984107ea9237161b9c9df2c3b1b693

SHA512
4d93f2ad88e2286684e4251fd225821fec1a3fca59f721e680d78ea8463a6ad01837fa1ac0d8135a2869631492a63e51623412064986b5f8c408f8cfbee060d0

Download Submit
\Users\Admin\AppData\Local\Avywuixyxmexxtr.exe

Filesize
60KB

MD5
613942bbf3824e8a8eb286ab9fbe80fb

SHA1
59ec1305d32f7ae5efa89217c187c70ac6a2d9ef

SHA256
88a885589630ba5fbd90fe3e0ee43528f208fd523386bcb15f2a22aa500f32eb

SHA512
fa82e05146b238ffebbeaba402ad567af1efd8d188f2dde080af448b790223e4fd7dfe1304b1a6954fa74d0eb4b987a000a477d2771d27f117804e58cdc432f0

Download Submit
memory/2604-21-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/2604-25-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/2856-15-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/2856-24-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/2856-28-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2856-26-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/2932-2-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/2932-14-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/2932-1-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2932-0-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads