Overview

overview

10

Static

static

3

2024-01-10...er.exe

windows7-x64

10

2024-01-10...er.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    118s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    11-01-2024 05:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-01-10_df9034a728ae85bc8b989b525fbcf699_cryptolocker.exe

  • Size

    338KB

  • MD5

    df9034a728ae85bc8b989b525fbcf699

  • SHA1

    1a8316dc5d4cbb8af8aa6f67c5905d53696380d3

  • SHA256

    41c7d90bca58b1c919ec1e69888fd1ea969b11fdec6d4830500c7f60101caba9

  • SHA512

    01c5c10c085b840813479a407d8b053d553816aadd03459590663026dc41bb1f355116c249ed67da0f4b7615f606bdd19ce7ee253bb5ebbf77c5e1341c43985b

  • SSDEEP

    6144:sWmw0DuCN0pLWgTO3x5N22vWvLRKKAX5l++SybIvC:sWkDuCaNT85I2vCMX5l+ZRv

Score
10/10
cryptolockerpersistenceransomware

Malware Config

Signatures

  • CryptoLocker

    Ransomware family with multiple variants.

    ransomwarecryptolocker
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 6 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-01-10_df9034a728ae85bc8b989b525fbcf699_cryptolocker.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-01-10_df9034a728ae85bc8b989b525fbcf699_cryptolocker.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:3044
    • C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
      "C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" "/rC:\Users\Admin\AppData\Local\Temp\2024-01-10_df9034a728ae85bc8b989b525fbcf699_cryptolocker.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2972
      • C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
        "C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w000000C8
        3⤵
        • Executes dropped EXE
        PID:2544
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 352
        3⤵
        • Loads dropped DLL
        • Program crash
        PID:2100

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
    Filesize

    128KB

    MD5

    7f8a30481ee90f14a6169254957263fe

    SHA1

    db5d5a50214d0690ef5f00f53b9276b136a3c146

    SHA256

    653f920d92d51771e22994e92e15f6048febd2b82a789d485eb13c3482c38eab

    SHA512

    ff0c07f5368657876fc2a360b2aba4350adfecd08479137d5f18f5a189cd0ca67e29beaf257e14863274aa44c7564fb490056abb7c27d97e9591a43f6784e74c

    Download Submit

  • \Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
    Filesize

    182KB

    MD5

    aa05cabac048570708a76d6a6f525fd9

    SHA1

    29a320a962cedf99682126522e067f4adc688647

    SHA256

    8d46c4f3db4d1c4336da92331778df64f0fad31462e98deb0b3acaae86c488d6

    SHA512

    132ea2ff4e75a6f7787d5ca3bc774d8a7937512f0ef7657321f68d7fef96a6f381327499cb51d029e81bafbe75628e6be3d3c8e6b3fd7203fb612091dbc09dcd

    Download Submit

  • \Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
    Filesize

    173KB

    MD5

    1583c230747a04c7a82350fae656039d

    SHA1

    ec4416ed8ff771a18991d9b5a257bd92e0b6a6dd

    SHA256

    f912ec3dc1c94ab5439beccf4fca0d59cfa1f2a399bdcad37e9e8391c56c9aee

    SHA512

    565f4945062688e387c6d791e7d50407d6270aa87bb5fafc907dbde744b88bd1bb6d572616643e2634482051f8c097f27331a3a96d597768047dd5404942fa9d

    Download Submit

  • \Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
    Filesize

    91KB

    MD5

    2221a4219df15ddebb69f38fa077c5fa

    SHA1

    93131a9a788e560984f6ca2f0d80ce2c813398f6

    SHA256

    8e75a4d15964ed0fc18cb40c91caa208ae7cd658853aca49329b45e8f664b5f1

    SHA512

    8bcb0df67c0bd769143a7c6936b0c3ae1047454c7d90b307b4fb718e5f4ba4e225acf1eec7234f70f30e2c4b543f268e11242db727d527733a64e3687a329548

    Download Submit

  • \Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
    Filesize

    338KB

    MD5

    df9034a728ae85bc8b989b525fbcf699

    SHA1

    1a8316dc5d4cbb8af8aa6f67c5905d53696380d3

    SHA256

    41c7d90bca58b1c919ec1e69888fd1ea969b11fdec6d4830500c7f60101caba9

    SHA512

    01c5c10c085b840813479a407d8b053d553816aadd03459590663026dc41bb1f355116c249ed67da0f4b7615f606bdd19ce7ee253bb5ebbf77c5e1341c43985b

    Download Submit

  • \Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
    Filesize

    192KB

    MD5

    835cf0aa4b8647206de92fb408c63e70

    SHA1

    a630d638e82140ba7a6a7a6cbf2a56ba45e83abb

    SHA256

    b2351c401b7418031440caa4416a085a79f4b6292109bf083ea44840c4e97fc3

    SHA512

    e0fab0e25cc58f0cda656b9cc8189b6021e937ea3a1ad734b77e19f2eb654ddb9b4e933cb32924f5216e4979bea9975a75b35f717953e1ca369b2e6b8e650441

    Download Submit

  • \Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
    Filesize

    297KB

    MD5

    c994fb4f35038293f6d8dea4e3fca4b6

    SHA1

    d06c832076e84f2cf709472a5b233860a7839077

    SHA256

    d20f0a2dac3456629b4593759524934455bf86c3146b19d6608ed79b80d2bea1

    SHA512

    0c764f07d3da5a1fb2a9933b335bb0536a78e743ace7dc705c21b3ee9ee341ed0241203535968351b364147de24d66254fa86b8f0f21aa159a062838e230db18

    Download Submit