cryptolocker | 022728f678d8dcc6cba20147595ed4099e9c98be0582c0f67518d5664e3b8523

Resubmissions

03-03-2024 01:34

240303-by6ttsbe94 10

03-03-2024 01:31

240303-bxkj7sbe62 7

Analysis

max time kernel
151s
max time network
157s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
03-03-2024 01:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ransomware/CryptoLocker.exe
Size

338KB
MD5

04fb36199787f2e3e2135611a38321eb
SHA1

65559245709fe98052eb284577f1fd61c01ad20d
SHA256

d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9
SHA512

533d6603f6e2a77bd1b2c6591a135c4717753d53317c1be06e43774e896d9543bcd0ea6904a0688aa84b2d8424641d68994b1e7dc4aa46d66c36feecb6145444
SSDEEP

6144:sWmw0EuCN0pLWgTO3x5N22vWvLRKKAX5l++SybIvC:sWkEuCaNT85I2vCMX5l+ZRv

Score

10^/10

cryptolocker persistence ransomware

Malware Config

Signatures

CryptoLocker
Ransomware family with multiple variants.
ransomware cryptolocker

Deletes itself 1 IoCs

pid	Process
3008	{34184A33-0407-212E-3320-09040709E2C2}.exe

Executes dropped EXE 2 IoCs

pid	Process
3008	{34184A33-0407-212E-3320-09040709E2C2}.exe
2660	{34184A33-0407-212E-3320-09040709E2C2}.exe

Loads dropped DLL 2 IoCs

pid	Process
2748	CryptoLocker.exe
3008	{34184A33-0407-212E-3320-09040709E2C2}.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Run\CryptoLocker = "C:\\Users\\Admin\\AppData\\Roaming\\{34184A33-0407-212E-3320-09040709E2C2}.exe"	{34184A33-0407-212E-3320-09040709E2C2}.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2748 wrote to memory of 3008	2748	CryptoLocker.exe	28
PID 2748 wrote to memory of 3008	2748	CryptoLocker.exe	28
PID 2748 wrote to memory of 3008	2748	CryptoLocker.exe	28
PID 2748 wrote to memory of 3008	2748	CryptoLocker.exe	28
PID 3008 wrote to memory of 2660	3008	{34184A33-0407-212E-3320-09040709E2C2}.exe	29
PID 3008 wrote to memory of 2660	3008	{34184A33-0407-212E-3320-09040709E2C2}.exe	29
PID 3008 wrote to memory of 2660	3008	{34184A33-0407-212E-3320-09040709E2C2}.exe	29
PID 3008 wrote to memory of 2660	3008	{34184A33-0407-212E-3320-09040709E2C2}.exe	29

C:\Users\Admin\AppData\Local\Temp\Ransomware\CryptoLocker.exe
"C:\Users\Admin\AppData\Local\Temp\Ransomware\CryptoLocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
  "C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" "/rC:\Users\Admin\AppData\Local\Temp\Ransomware\CryptoLocker.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3008
- - C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
    "C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w000000C8
    3⤵
    - Executes dropped EXE
    PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe

Filesize
295KB

MD5
63190a6781b2ecb8af475ad151a4788d

SHA1
5cf8f29ecb3b6668744b9fca41d4194e0f401a97

SHA256
11b29bc9bc09d7e99e325b4539749aa85f9ff80c89f5588d8485ec3bd0823cfb

SHA512
1f243941ae2ae023cbc61b03a8cf3f4137ace75250912992eb97b8943cc7c60b013a90297056ea1e61e65d3ad9f2b3826d52c09a52c5b6625518c11d773898a8

Download Submit
C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe

Filesize
64KB

MD5
33b709c80f1242538786b33a91ee3e3a

SHA1
497d63fbcffacdf3a620d08d926b2da35bd2bc1a

SHA256
aa21af4043aaf1794ab26720abc7b2a5ac441f71b1c12582c1de420dbca6ca41

SHA512
6b6ab768533d851e4784666af113befccfb6aa83b716cfe8c92778d74e0cfb3c3f0929d4cc88811c8c614eb13f1c7ec757cb05f07579d2cf9f7462fb967783ba

Download Submit
\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe

Filesize
338KB

MD5
04fb36199787f2e3e2135611a38321eb

SHA1
65559245709fe98052eb284577f1fd61c01ad20d

SHA256
d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9

SHA512
533d6603f6e2a77bd1b2c6591a135c4717753d53317c1be06e43774e896d9543bcd0ea6904a0688aa84b2d8424641d68994b1e7dc4aa46d66c36feecb6145444

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads