cryptolocker | 2514a2fe3d78d5974c2c3b080d20707f95653cd1892be272733264f202de24ac

Analysis

max time kernel
136s
max time network
153s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
04-03-2024 03:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b1c38c5beea330b94b80a97980a96762.exe
Size

390KB
MD5

b1c38c5beea330b94b80a97980a96762
SHA1

5e3647cbb76dc43998922e4ebaa741ea7d34126e
SHA256

2514a2fe3d78d5974c2c3b080d20707f95653cd1892be272733264f202de24ac
SHA512

2054280aaa0d94582c1b45e4ff8f7986ea01c212f813a551f908b648f49988a955deaea259ed5d264c610b7c9024231945ced3685d4ce2132e75552a86442a7a
SSDEEP

6144:rWmw0EuCN0pLWgTO3x5N22vWvLRKKAX5l++SybIvCQAISbg:rWkEuCaNT85I2vCMX5l+ZRvmIf

Score

10^/10

cryptolocker persistence ransomware

Malware Config

Signatures

CryptoLocker
Ransomware family with multiple variants.
ransomware cryptolocker
Deletes itself 1 IoCs

Processes:

{34184A33-0407-212E-3320-09040709E2C2}.exe

pid process

2468 {34184A33-0407-212E-3320-09040709E2C2}.exe
Executes dropped EXE 2 IoCs

Processes:

{34184A33-0407-212E-3320-09040709E2C2}.exe{34184A33-0407-212E-3320-09040709E2C2}.exe

pid process

2468 {34184A33-0407-212E-3320-09040709E2C2}.exe
2576 {34184A33-0407-212E-3320-09040709E2C2}.exe
Loads dropped DLL 2 IoCs

Processes:

b1c38c5beea330b94b80a97980a96762.exe{34184A33-0407-212E-3320-09040709E2C2}.exe

pid process

2720 b1c38c5beea330b94b80a97980a96762.exe
2468 {34184A33-0407-212E-3320-09040709E2C2}.exe

pid	process
2468	{34184A33-0407-212E-3320-09040709E2C2}.exe

pid	process
2468	{34184A33-0407-212E-3320-09040709E2C2}.exe
2576	{34184A33-0407-212E-3320-09040709E2C2}.exe

pid	process
2720	b1c38c5beea330b94b80a97980a96762.exe
2468	{34184A33-0407-212E-3320-09040709E2C2}.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{34184A33-0407-212E-3320-09040709E2C2}.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\CryptoLocker = "C:\\Users\\Admin\\AppData\\Roaming\\{34184A33-0407-212E-3320-09040709E2C2}.exe"	{34184A33-0407-212E-3320-09040709E2C2}.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

b1c38c5beea330b94b80a97980a96762.exe{34184A33-0407-212E-3320-09040709E2C2}.exe

description	pid	process	target process
PID 2720 wrote to memory of 2468	2720	b1c38c5beea330b94b80a97980a96762.exe	{34184A33-0407-212E-3320-09040709E2C2}.exe
PID 2720 wrote to memory of 2468	2720	b1c38c5beea330b94b80a97980a96762.exe	{34184A33-0407-212E-3320-09040709E2C2}.exe
PID 2720 wrote to memory of 2468	2720	b1c38c5beea330b94b80a97980a96762.exe	{34184A33-0407-212E-3320-09040709E2C2}.exe
PID 2720 wrote to memory of 2468	2720	b1c38c5beea330b94b80a97980a96762.exe	{34184A33-0407-212E-3320-09040709E2C2}.exe
PID 2468 wrote to memory of 2576	2468	{34184A33-0407-212E-3320-09040709E2C2}.exe	{34184A33-0407-212E-3320-09040709E2C2}.exe
PID 2468 wrote to memory of 2576	2468	{34184A33-0407-212E-3320-09040709E2C2}.exe	{34184A33-0407-212E-3320-09040709E2C2}.exe
PID 2468 wrote to memory of 2576	2468	{34184A33-0407-212E-3320-09040709E2C2}.exe	{34184A33-0407-212E-3320-09040709E2C2}.exe
PID 2468 wrote to memory of 2576	2468	{34184A33-0407-212E-3320-09040709E2C2}.exe	{34184A33-0407-212E-3320-09040709E2C2}.exe

C:\Users\Admin\AppData\Local\Temp\b1c38c5beea330b94b80a97980a96762.exe
"C:\Users\Admin\AppData\Local\Temp\b1c38c5beea330b94b80a97980a96762.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2720
- C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
  "C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" "/rC:\Users\Admin\AppData\Local\Temp\b1c38c5beea330b94b80a97980a96762.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2468
- - C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
    "C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w000000C8
    3⤵
    - Executes dropped EXE
    PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe

Filesize
390KB

MD5
b1c38c5beea330b94b80a97980a96762

SHA1
5e3647cbb76dc43998922e4ebaa741ea7d34126e

SHA256
2514a2fe3d78d5974c2c3b080d20707f95653cd1892be272733264f202de24ac

SHA512
2054280aaa0d94582c1b45e4ff8f7986ea01c212f813a551f908b648f49988a955deaea259ed5d264c610b7c9024231945ced3685d4ce2132e75552a86442a7a

Download Submit