Overview

overview

10

Static

static

3

2024-03-02...er.exe

windows7-x64

10

2024-03-02...er.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-03-2024 16:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-03-02_57075198c87ac0e2936355d2736b1164_cryptolocker.exe

  • Size

    404KB

  • MD5

    57075198c87ac0e2936355d2736b1164

  • SHA1

    059d97a1bbce7eaabfd357348518ee9895e507cb

  • SHA256

    17849d3bf40f1d6833c538664ac843f728aba013c965e3ccb38b273c5f5c7e79

  • SHA512

    1cc1360eaceb241f4bf3ff5acbd13c1b1ce91945ce002f570ff1d0742206522557f651e4285bcedc38375732aec1fed2b03633fa60227619b5a8f1b7999abf00

  • SSDEEP

    12288:gWkEuCaNT85I2vCMX5l+ZRvjfQ3AoMQ3:gEuCalMpCjfQ3AoMQ3

Score
10/10
cryptolockerpersistenceransomware

Malware Config

Signatures

  • CryptoLocker

    Ransomware family with multiple variants.

    ransomwarecryptolocker
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-03-02_57075198c87ac0e2936355d2736b1164_cryptolocker.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-03-02_57075198c87ac0e2936355d2736b1164_cryptolocker.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3760
    • C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
      "C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" "/rC:\Users\Admin\AppData\Local\Temp\2024-03-02_57075198c87ac0e2936355d2736b1164_cryptolocker.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:960
      • C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
        "C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w00000224
        3⤵
        • Executes dropped EXE
        PID:3880

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
    Filesize

    404KB

    MD5

    57075198c87ac0e2936355d2736b1164

    SHA1

    059d97a1bbce7eaabfd357348518ee9895e507cb

    SHA256

    17849d3bf40f1d6833c538664ac843f728aba013c965e3ccb38b273c5f5c7e79

    SHA512

    1cc1360eaceb241f4bf3ff5acbd13c1b1ce91945ce002f570ff1d0742206522557f651e4285bcedc38375732aec1fed2b03633fa60227619b5a8f1b7999abf00

    Download Submit