Analysis
-
max time kernel
84s -
max time network
78s -
platform
windows11-21h2_x64 -
resource
win11-20231215-en -
resource tags
-
submitted
05-02-2024 18:25
General
-
Target
https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/CryptoLocker.exe
Malware Config
Signatures
-
CryptoLocker
Ransomware family with multiple variants.
-
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
NTFS ADS 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
-
Suspicious use of FindShellTrayWindow 35 IoCs
-
Suspicious use of SendNotifyMessage 12 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/CryptoLocker.exe1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8aa773cb8,0x7ff8aa773cc8,0x7ff8aa773cd82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,17763438286004790423,5124383214379401442,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1892,17763438286004790423,5124383214379401442,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2688 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1892,17763438286004790423,5124383214379401442,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,17763438286004790423,5124383214379401442,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,17763438286004790423,5124383214379401442,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1892,17763438286004790423,5124383214379401442,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5136 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1892,17763438286004790423,5124383214379401442,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5312 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,17763438286004790423,5124383214379401442,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,17763438286004790423,5124383214379401442,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3828 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,17763438286004790423,5124383214379401442,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,17763438286004790423,5124383214379401442,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,17763438286004790423,5124383214379401442,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1700 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1892,17763438286004790423,5124383214379401442,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5908 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,17763438286004790423,5124383214379401442,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1892,17763438286004790423,5124383214379401442,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1804 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Downloads\CryptoLocker.exe"C:\Users\Admin\Downloads\CryptoLocker.exe"2⤵
- Executes dropped EXE
- NTFS ADS
-
C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" "/rC:\Users\Admin\Downloads\CryptoLocker.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w000002344⤵
- Executes dropped EXE
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD55cabc17286e25c0ade7a7f050b6e92a6
SHA1c25ab09177ad0da9ee6caf78310236bdc2cba319
SHA2560e75f9140c154297d8f741aea07b90fc1be1b8deb79c3f204148471800e322b6
SHA5120cc35eda0168f51e5e719ba0bfb226c9f5293a6056d47190a23377deb98244f42c62b8416696cdd13b2db6228c1c8a2513cdf6dbb1d4b59f0c1c889d1acee6e8
-
Filesize
1KB
MD5ee0024c759da9e58ac88bcd6d467fcff
SHA1cfdfd7653786700039d0f13b66d3894d53f485f8
SHA25689a121cbcd09a68f38345b418b9909a16e1037cabd836a67ee529bee640507a7
SHA512fd6e9f86962648db97f6fd6a333e472d1c5e18ef8dd9e1cf24a386268a784e4dad1689834fa44cae07a61f13efc20852cd33f3bd18ff1fa315dcdc9006a04dfa
-
Filesize
579B
MD5a7d1701142cca705f833d70023ef4e1e
SHA11b76853132abfcddb4fefac42bf9df5d013c9815
SHA2566c92f51e7f056e73c407228fc280cb7ca4d00ab02674d1dda4eafd7dc9f070f7
SHA512806b7ccb375cc6116e64a9fa15229d783615d13b54cf40251561d9b664f0925915c5375ad88f5ca8d061e01367de239c29da79adf693559af53eeb7d9b1ba1a0
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
4KB
MD5afdf9bb938ead50423f8e450e94f1ed3
SHA16a66161dd39848f2176a725a828de4bd6edcd5f4
SHA256ff6d621ba804e5907c3cf00402dd70857fc61ac4af4f34781e9853ae24e32fef
SHA512ac859d5876781b7c2d5263c99820414115eaa9b610bd3c3abdcf7efe417b8d7493a496eaf7a6da7aad030da5638effbcb75fa6871e362c2e289c31ba62a230ea
-
Filesize
5KB
MD504514d36ded58d0748d89e8618a16b27
SHA1a56c7ef3dadfda27cef0f94d8462083f06ba4581
SHA256b1cac71e2b53c7a0bcbcb2e8999e9409aac9f12d66247eea6544b282f7a15746
SHA5127e91074d7533ba52af249a51c0d2cd494e37706fd0308f1848d6ea7812b6140aca68bbea29104ee6e6a81fb40bc8f945ad8421c826f31c5377e308b52a73f356
-
Filesize
5KB
MD590c17072baae733c3bfff26e7014eb88
SHA175e3cd418309b57a084074eb85de5553d5a65f2b
SHA256998fe6926a473eb8d348fb6eb9cc0685114b3fd93782b726680806e726e3555a
SHA512d0556e5ccfee3932eec9f1d04e3bd74a91d36176ad284fd0d1474a27118db00385eceaa15c008777681aebb55bf9fab6e1a7bcfd92f3ee5726db55d89d65c606
-
Filesize
25KB
MD568fe6f34e7d6603a3d2f4c95919f8408
SHA1c7be30582f94d46f05338cc39726f72c9e2fa4cf
SHA2568cba909149b2d3fc45315cf63cdb8fbe42a4b7c614347171ba00aaf859639c1a
SHA51248eac2f55675b01ebeb28680ed9af6dcb9c558f76fd647cf05f8a7e1fa04ee57f7a8c70bc0ea882bdbca48b29d62ea7af74b76a03b09c19762e4c93118929be1
-
Filesize
874B
MD5901f3dbc032d2dbafe2e9a133a9e745d
SHA1308f833d4f2d1aaea94809f00e3538cd15aaa907
SHA25609d05c480b088508e1c51f7265d006a01364e311f32a8fd344dc07ab1008651c
SHA512362ed6a57a25c44ab46af3abce9cd461fcfae3649f13190238a29429d67f2b9c67abb57863e27c100ad74a0798e004bbec79ee195d491329f1a5a348c36de6af
-
Filesize
1KB
MD5e8adee2eb8f13f7d9e9993aec38082c5
SHA11bc386d80664353b4ebada642baadb111f9e1ed9
SHA2565f13694a8511420ff82351c34f724761529dc25bddbb2246725fddccbeee171c
SHA512e18da05aff31ad4849aca74184de65f91274421aad96d9ba209273a94ba00b19d4c20a4cfa884c89b0ea7ea63e361e84e5eb2bc1a89c739ef0e11018439511ed
-
Filesize
874B
MD502d2fbe4b7999e127faab0af676bc784
SHA15f0cff222bfdbb3dbba4156cb863a955772464a5
SHA256bed5e51c2cae87a1c149052e980f14206a6814041cc8908bd02a209fc940ad1f
SHA5125b96161ddb013f07754d58c935f6d393ce85c9cb1679290255a2c67e2903b2e81068aad187d197d6d3a60bd4b006b2507b280e83f9bef65443fa57c89a4b144e
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5de164212d0c620774cce28f62fedb66c
SHA1a51fce2ce4a17aef11509a8b5cfe4fcf710eaff8
SHA256ffc1aba0774ee7b8e3a494436ff4207b7c6bdafd65418b6c4596c4d3b12dbfe1
SHA512a0a478ba9f9b2c77eaa160ec964e379dd43937cdac6e1b17ee8be99e69ff8b4868c8e0efa7d689f2e448f5e8d0283a63a09c32a7d0ca66d02150a51136194984
-
Filesize
10KB
MD54769dc2a93086e788edd8b41721da02a
SHA10db39e4a895cd008677d9363e681c2d7919361c2
SHA25677de1e312d8541e0082e2e47940576856a2a31f19bb71420a045be8873e9d754
SHA512277437b7f302091bd3e9374877b401b16109a20060012e336d820888f4382c89b0015bbfd3e5f612a589c84a8ebb4dc37b464436c333795dfb8a6dd5ee270c17
-
Filesize
10KB
MD5f99dbf244b98026d2df25744de38d517
SHA10315163e93adac743f2aa46a0b48f8b2e7707947
SHA256168425ca59ff2b4de37c3fef75646dbc71986bdd7fcc857913dc3e5de7d34768
SHA512600176a1d3184eb8f225f08cf96d7694aee294325b851c410812a597387da17a15fd4d65e889078d06bf1a2958965db81ec7de3a67cb49f483484044802e3067
-
Filesize
11KB
MD59525ed790aaa25e346ee37d85fd2607c
SHA102db19a5bd9119cb90329f438c287cda89b2d032
SHA256f48431cb6a0247a5019286176ed5fc3db474a95b119b96ea4c5b1295747e3e75
SHA5126bb92cbc68468f106f542485aadfcceb6bdbe6bc8b12782fdb83bdca290bc72e0c1c3b0cc657893365e5b02494884002c858e1f8114208e6b317f623172be7e9
-
Filesize
338KB
MD504fb36199787f2e3e2135611a38321eb
SHA165559245709fe98052eb284577f1fd61c01ad20d
SHA256d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9
SHA512533d6603f6e2a77bd1b2c6591a135c4717753d53317c1be06e43774e896d9543bcd0ea6904a0688aa84b2d8424641d68994b1e7dc4aa46d66c36feecb6145444