cryptolocker | 163db290ba2f8a088ea7bb5838bb3747cd49ed89848dc378f190b9fc8f0fe7c8

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
04-03-2024 01:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

36d2bd43c8cea74a7e899f57c9baab64.exe
Size

395KB
MD5

36d2bd43c8cea74a7e899f57c9baab64
SHA1

84bc63932258fb3a58c39465b365cecf920547ec
SHA256

163db290ba2f8a088ea7bb5838bb3747cd49ed89848dc378f190b9fc8f0fe7c8
SHA512

84f7fac2724b5e858a0a874b1eea802ea74feb08eb1c344e13c6fb0863d572b126a54d0ac7b83e66a24367dce260da0c00e951980f537f7fadde09b3d6a159ee
SSDEEP

6144:eWmw0EuCN0pLWgTO3x5N22vWvLRKKAX5l++SybIvCc//IQ3sd:eWkEuCaNT85I2vCMX5l+ZRvJ/wQ3sd

Score

10^/10

cryptolocker persistence ransomware

Malware Config

Signatures

CryptoLocker
Ransomware family with multiple variants.
ransomware cryptolocker

Deletes itself 1 IoCs

pid	Process
2512	{34184A33-0407-212E-3320-09040709E2C2}.exe

Executes dropped EXE 2 IoCs

pid	Process
2512	{34184A33-0407-212E-3320-09040709E2C2}.exe
2692	{34184A33-0407-212E-3320-09040709E2C2}.exe

Loads dropped DLL 2 IoCs

pid	Process
3048	36d2bd43c8cea74a7e899f57c9baab64.exe
2512	{34184A33-0407-212E-3320-09040709E2C2}.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\CryptoLocker = "C:\\Users\\Admin\\AppData\\Roaming\\{34184A33-0407-212E-3320-09040709E2C2}.exe"	{34184A33-0407-212E-3320-09040709E2C2}.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 2512	3048	36d2bd43c8cea74a7e899f57c9baab64.exe	28
PID 3048 wrote to memory of 2512	3048	36d2bd43c8cea74a7e899f57c9baab64.exe	28
PID 3048 wrote to memory of 2512	3048	36d2bd43c8cea74a7e899f57c9baab64.exe	28
PID 3048 wrote to memory of 2512	3048	36d2bd43c8cea74a7e899f57c9baab64.exe	28
PID 2512 wrote to memory of 2692	2512	{34184A33-0407-212E-3320-09040709E2C2}.exe	29
PID 2512 wrote to memory of 2692	2512	{34184A33-0407-212E-3320-09040709E2C2}.exe	29
PID 2512 wrote to memory of 2692	2512	{34184A33-0407-212E-3320-09040709E2C2}.exe	29
PID 2512 wrote to memory of 2692	2512	{34184A33-0407-212E-3320-09040709E2C2}.exe	29

C:\Users\Admin\AppData\Local\Temp\36d2bd43c8cea74a7e899f57c9baab64.exe
"C:\Users\Admin\AppData\Local\Temp\36d2bd43c8cea74a7e899f57c9baab64.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
  "C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" "/rC:\Users\Admin\AppData\Local\Temp\36d2bd43c8cea74a7e899f57c9baab64.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2512
- - C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
    "C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w000000C8
    3⤵
    - Executes dropped EXE
    PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe

Filesize
8KB

MD5
83ae24d0bc92dd822ab9a4a5fcd9a292

SHA1
7a604555312a94795ed23cb82f1a558ebf4df7ac

SHA256
9c38a1c0c9f22e1daab59791f2986fddb7070f5a17b03575993abcc9fa1761bd

SHA512
9dda4b1413b1f99217ccd099b10aa876cc9bed2e3e684352374dc3c9dc75f1e0452932230d34d3ee303813af2206e789de8bad8e65126297500ad5360cb35605

Download Submit
C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe

Filesize
395KB

MD5
36d2bd43c8cea74a7e899f57c9baab64

SHA1
84bc63932258fb3a58c39465b365cecf920547ec

SHA256
163db290ba2f8a088ea7bb5838bb3747cd49ed89848dc378f190b9fc8f0fe7c8

SHA512
84f7fac2724b5e858a0a874b1eea802ea74feb08eb1c344e13c6fb0863d572b126a54d0ac7b83e66a24367dce260da0c00e951980f537f7fadde09b3d6a159ee

Download Submit
\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe

Filesize
64KB

MD5
3987bb6555f2dc1433817d1436807300

SHA1
f96d3c6a3e4c322e9ab5000bf6cc585a479d3c2d

SHA256
08a27ae6bd69d9498f37e87e2a55ac550ebd1e82bde41a5f2b90cf99951f0efb

SHA512
d0983c385e2deddab92d4e350a84f845ab84745957dc09a5262f858b4a8f6b5a1bc09d851f999ce02e06c9a7fc9abbbd24610873b5246e3deaf743cd690a8f8e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads