Overview
overview
10Static
static
7Ransomware...er.exe
windows7-x64
8Ransomware...er.exe
windows10-2004-x64
8Ransomware/7ev3n.exe
windows7-x64
Ransomware/7ev3n.exe
windows10-2004-x64
Ransomware...le.exe
windows7-x64
Ransomware...le.exe
windows10-2004-x64
Ransomware...it.exe
windows7-x64
10Ransomware...it.exe
windows10-2004-x64
10Ransomware/Birele.exe
windows10-2004-x64
10Ransomware...r5.exe
windows7-x64
10Ransomware...r5.exe
windows10-2004-x64
10Ransomware...us.exe
windows7-x64
10Ransomware...us.exe
windows10-2004-x64
10Ransomware...er.exe
windows7-x64
10Ransomware...er.exe
windows10-2004-x64
10Ransomware...ll.exe
windows7-x64
9Ransomware...ll.exe
windows10-2004-x64
7Ransomware...ck.exe
windows7-x64
7Ransomware...ck.exe
windows10-2004-x64
7Ransomware/Dharma.exe
windows7-x64
9Ransomware/Dharma.exe
windows10-2004-x64
9Ransomware/Fantom.exe
windows7-x64
10Ransomware/Fantom.exe
windows10-2004-x64
10Ransomware...ab.exe
windows7-x64
10Ransomware...ab.exe
windows10-2004-x64
10Ransomware...ye.exe
windows7-x64
10Ransomware...ye.exe
windows10-2004-x64
10Ransomware...Eye.js
windows7-x64
10Ransomware...Eye.js
windows10-2004-x64
10Ransomware...pt.exe
windows7-x64
10Ransomware...pt.exe
windows10-2004-x64
10Ransomware...en.exe
windows7-x64
8Analysis
-
max time kernel
151s -
max time network
157s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
03-03-2024 01:34
Behavioral task
behavioral1
Sample
Ransomware/$uckyLocker.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Ransomware/$uckyLocker.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
Ransomware/7ev3n.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Ransomware/7ev3n.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
Ransomware/Annabelle.exe
Resource
win7-20240220-en
Behavioral task
behavioral6
Sample
Ransomware/Annabelle.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
Ransomware/BadRabbit.exe
Resource
win7-20240215-en
Behavioral task
behavioral8
Sample
Ransomware/BadRabbit.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
Ransomware/Birele.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral10
Sample
Ransomware/Cerber5.exe
Resource
win7-20240221-en
Behavioral task
behavioral11
Sample
Ransomware/Cerber5.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral12
Sample
Ransomware/CoronaVirus.exe
Resource
win7-20240221-en
Behavioral task
behavioral13
Sample
Ransomware/CoronaVirus.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral14
Sample
Ransomware/CryptoLocker.exe
Resource
win7-20240221-en
Behavioral task
behavioral15
Sample
Ransomware/CryptoLocker.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral16
Sample
Ransomware/CryptoWall.exe
Resource
win7-20240220-en
Behavioral task
behavioral17
Sample
Ransomware/CryptoWall.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral18
Sample
Ransomware/DeriaLock.exe
Resource
win7-20240215-en
Behavioral task
behavioral19
Sample
Ransomware/DeriaLock.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral20
Sample
Ransomware/Dharma.exe
Resource
win7-20240221-en
Behavioral task
behavioral21
Sample
Ransomware/Dharma.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral22
Sample
Ransomware/Fantom.exe
Resource
win7-20240221-en
Behavioral task
behavioral23
Sample
Ransomware/Fantom.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral24
Sample
Ransomware/GandCrab.exe
Resource
win7-20240215-en
Behavioral task
behavioral25
Sample
Ransomware/GandCrab.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral26
Sample
Ransomware/GoldenEye/GoldenEye.exe
Resource
win7-20240221-en
Behavioral task
behavioral27
Sample
Ransomware/GoldenEye/GoldenEye.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral28
Sample
Ransomware/GoldenEye/GoldenEye.js
Resource
win7-20240221-en
Behavioral task
behavioral29
Sample
Ransomware/GoldenEye/GoldenEye.js
Resource
win10v2004-20240226-en
Behavioral task
behavioral30
Sample
Ransomware/InfinityCrypt.exe
Resource
win7-20240221-en
Behavioral task
behavioral31
Sample
Ransomware/InfinityCrypt.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral32
Sample
Ransomware/Krotten.exe
Resource
win7-20240221-en
General
-
Target
Ransomware/CryptoLocker.exe
-
Size
338KB
-
MD5
04fb36199787f2e3e2135611a38321eb
-
SHA1
65559245709fe98052eb284577f1fd61c01ad20d
-
SHA256
d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9
-
SHA512
533d6603f6e2a77bd1b2c6591a135c4717753d53317c1be06e43774e896d9543bcd0ea6904a0688aa84b2d8424641d68994b1e7dc4aa46d66c36feecb6145444
-
SSDEEP
6144:sWmw0EuCN0pLWgTO3x5N22vWvLRKKAX5l++SybIvC:sWkEuCaNT85I2vCMX5l+ZRv
Malware Config
Signatures
-
CryptoLocker
Ransomware family with multiple variants.
-
Deletes itself 1 IoCs
Processes:
{34184A33-0407-212E-3320-09040709E2C2}.exepid process 3008 {34184A33-0407-212E-3320-09040709E2C2}.exe -
Executes dropped EXE 2 IoCs
Processes:
{34184A33-0407-212E-3320-09040709E2C2}.exe{34184A33-0407-212E-3320-09040709E2C2}.exepid process 3008 {34184A33-0407-212E-3320-09040709E2C2}.exe 2660 {34184A33-0407-212E-3320-09040709E2C2}.exe -
Loads dropped DLL 2 IoCs
Processes:
CryptoLocker.exe{34184A33-0407-212E-3320-09040709E2C2}.exepid process 2748 CryptoLocker.exe 3008 {34184A33-0407-212E-3320-09040709E2C2}.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
{34184A33-0407-212E-3320-09040709E2C2}.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Run\CryptoLocker = "C:\\Users\\Admin\\AppData\\Roaming\\{34184A33-0407-212E-3320-09040709E2C2}.exe" {34184A33-0407-212E-3320-09040709E2C2}.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
CryptoLocker.exe{34184A33-0407-212E-3320-09040709E2C2}.exedescription pid process target process PID 2748 wrote to memory of 3008 2748 CryptoLocker.exe {34184A33-0407-212E-3320-09040709E2C2}.exe PID 2748 wrote to memory of 3008 2748 CryptoLocker.exe {34184A33-0407-212E-3320-09040709E2C2}.exe PID 2748 wrote to memory of 3008 2748 CryptoLocker.exe {34184A33-0407-212E-3320-09040709E2C2}.exe PID 2748 wrote to memory of 3008 2748 CryptoLocker.exe {34184A33-0407-212E-3320-09040709E2C2}.exe PID 3008 wrote to memory of 2660 3008 {34184A33-0407-212E-3320-09040709E2C2}.exe {34184A33-0407-212E-3320-09040709E2C2}.exe PID 3008 wrote to memory of 2660 3008 {34184A33-0407-212E-3320-09040709E2C2}.exe {34184A33-0407-212E-3320-09040709E2C2}.exe PID 3008 wrote to memory of 2660 3008 {34184A33-0407-212E-3320-09040709E2C2}.exe {34184A33-0407-212E-3320-09040709E2C2}.exe PID 3008 wrote to memory of 2660 3008 {34184A33-0407-212E-3320-09040709E2C2}.exe {34184A33-0407-212E-3320-09040709E2C2}.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Ransomware\CryptoLocker.exe"C:\Users\Admin\AppData\Local\Temp\Ransomware\CryptoLocker.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" "/rC:\Users\Admin\AppData\Local\Temp\Ransomware\CryptoLocker.exe"2⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w000000C83⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exeFilesize
295KB
MD563190a6781b2ecb8af475ad151a4788d
SHA15cf8f29ecb3b6668744b9fca41d4194e0f401a97
SHA25611b29bc9bc09d7e99e325b4539749aa85f9ff80c89f5588d8485ec3bd0823cfb
SHA5121f243941ae2ae023cbc61b03a8cf3f4137ace75250912992eb97b8943cc7c60b013a90297056ea1e61e65d3ad9f2b3826d52c09a52c5b6625518c11d773898a8
-
C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exeFilesize
64KB
MD533b709c80f1242538786b33a91ee3e3a
SHA1497d63fbcffacdf3a620d08d926b2da35bd2bc1a
SHA256aa21af4043aaf1794ab26720abc7b2a5ac441f71b1c12582c1de420dbca6ca41
SHA5126b6ab768533d851e4784666af113befccfb6aa83b716cfe8c92778d74e0cfb3c3f0929d4cc88811c8c614eb13f1c7ec757cb05f07579d2cf9f7462fb967783ba
-
\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exeFilesize
338KB
MD504fb36199787f2e3e2135611a38321eb
SHA165559245709fe98052eb284577f1fd61c01ad20d
SHA256d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9
SHA512533d6603f6e2a77bd1b2c6591a135c4717753d53317c1be06e43774e896d9543bcd0ea6904a0688aa84b2d8424641d68994b1e7dc4aa46d66c36feecb6145444