Overview

overview

10

Static

static

3

CryptoLocker.exe

windows7-x64

10

CryptoLocker.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    60s
  • max time network
    67s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-02-2024 22:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    CryptoLocker.exe

  • Size

    338KB

  • MD5

    04fb36199787f2e3e2135611a38321eb

  • SHA1

    65559245709fe98052eb284577f1fd61c01ad20d

  • SHA256

    d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9

  • SHA512

    533d6603f6e2a77bd1b2c6591a135c4717753d53317c1be06e43774e896d9543bcd0ea6904a0688aa84b2d8424641d68994b1e7dc4aa46d66c36feecb6145444

  • SSDEEP

    6144:sWmw0EuCN0pLWgTO3x5N22vWvLRKKAX5l++SybIvC:sWkEuCaNT85I2vCMX5l+ZRv

Score
10/10
cryptolockerpersistenceransomware

Malware Config

Signatures

  • CryptoLocker

    Ransomware family with multiple variants.

    ransomwarecryptolocker
  • Modifies Installed Components in the registry 2 TTPs 5 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 11 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\CryptoLocker.exe
    "C:\Users\Admin\AppData\Local\Temp\CryptoLocker.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1480
    • C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
      "C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" "/rC:\Users\Admin\AppData\Local\Temp\CryptoLocker.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1552
      • C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
        "C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w0000021C
        3⤵
        • Executes dropped EXE
        PID:1828
  • C:\Windows\system32\mspaint.exe
    "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\AssertSwitch.jpe" /ForceBootstrapPaint3D
    1⤵
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    PID:1924
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
    1⤵
    • Drops file in System32 directory
    PID:2560
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    PID:4432
  • C:\Program Files (x86)\Windows Media Player\wmplayer.exe
    "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:620
    • C:\Program Files (x86)\Windows Media Player\setup_wm.exe
      "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2132
      • C:\Windows\SysWOW64\unregmp2.exe
        C:\Windows\system32\unregmp2.exe /ShowWMP /SetShowState /CreateMediaLibrary
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:548
        • C:\Windows\system32\unregmp2.exe
          "C:\Windows\SysNative\unregmp2.exe" /ShowWMP /SetShowState /CreateMediaLibrary /REENTRANT
          4⤵
          • Modifies Installed Components in the registry
          • Drops desktop.ini file(s)
          • Drops file in Program Files directory
          • Modifies registry class
          PID:3200
      • C:\Program Files (x86)\Windows Media Player\wmplayer.exe
        "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Relaunch /Play C:\Users\Admin\Desktop\CloseGet.midi
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2592
    • C:\Windows\SysWOW64\unregmp2.exe
      "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3028
      • C:\Windows\system32\unregmp2.exe
        "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
        3⤵
        • Enumerates connected drives
        • Suspicious use of AdjustPrivilegeToken
        PID:1064
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
    1⤵
    • Drops file in Windows directory
    PID:3716

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
    Filesize

    256KB

    MD5

    e0732809d78c460be4d2af056f9be285

    SHA1

    ded9558db8f9cf54d75651ff706fd8c6fa9f63eb

    SHA256

    f8527813cf404938c98e9cb2b71f7cf5b07bce9bc406a7b219602a23d7f8ac7d

    SHA512

    d60f660176039caea03f466890aa2268b6bc5ec021f4ce1941d7d2c67e0fd411c9dd67a161f9de19e25bd8cd15f73425b598566126f65b7f6d5c173a218e5cf8

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML
    Filesize

    9KB

    MD5

    7050d5ae8acfbe560fa11073fef8185d

    SHA1

    5bc38e77ff06785fe0aec5a345c4ccd15752560e

    SHA256

    cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

    SHA512

    a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\wmsetup.log
    Filesize

    1KB

    MD5

    ab807b7572592a6626820c3c4156592e

    SHA1

    8d3ec9427a8f83bae283816adb6afb88a9a10887

    SHA256

    13b57cbdc01cd2514c5d17857e02abd70c48bc2d1949848b322c25d312406d4d

    SHA512

    0de47e5ffd82b8964e42557a160bd16a14d5c2592803e4a588d2ab8de78eb78b141ef8c81e7c10c0418cfd94e7b1536bfe830804ee1fa7780a316239e592e1d9

    Download Submit

  • C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
    Filesize

    338KB

    MD5

    04fb36199787f2e3e2135611a38321eb

    SHA1

    65559245709fe98052eb284577f1fd61c01ad20d

    SHA256

    d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9

    SHA512

    533d6603f6e2a77bd1b2c6591a135c4717753d53317c1be06e43774e896d9543bcd0ea6904a0688aa84b2d8424641d68994b1e7dc4aa46d66c36feecb6145444

    Download Submit

  • memory/2560-22-0x00000261CBB80000-0x00000261CBB81000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2560-21-0x00000261CBAF0000-0x00000261CBAF1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2560-19-0x00000261CBAF0000-0x00000261CBAF1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2560-23-0x00000261CBB80000-0x00000261CBB81000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2560-24-0x00000261CBB90000-0x00000261CBB91000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2560-25-0x00000261CBB90000-0x00000261CBB91000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2560-17-0x00000261CBA70000-0x00000261CBA71000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2560-10-0x00000261C37A0000-0x00000261C37B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2560-6-0x00000261C3760000-0x00000261C3770000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2592-71-0x0000000008E80000-0x0000000008E90000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2592-78-0x0000000008E80000-0x0000000008E90000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2592-68-0x0000000008E80000-0x0000000008E90000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2592-72-0x0000000008E80000-0x0000000008E90000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2592-74-0x0000000008E80000-0x0000000008E90000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2592-76-0x0000000008E80000-0x0000000008E90000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2592-79-0x0000000008FA0000-0x0000000008FB0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2592-70-0x0000000008E80000-0x0000000008E90000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2592-77-0x0000000008E80000-0x0000000008E90000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2592-81-0x0000000008E80000-0x0000000008E90000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2592-82-0x0000000008E80000-0x0000000008E90000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2592-80-0x0000000008E80000-0x0000000008E90000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2592-73-0x0000000008E80000-0x0000000008E90000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2592-83-0x0000000008E80000-0x0000000008E90000-memory.dmp

    Filesize

    64KB

    Download