cryptolocker | 52529731c9efe8195b73ccff56562453b513d85d85b5bc2643e91cc1431a15ad

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
04-03-2024 03:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b96d73c84ccbd9f3e1ec466891504108.exe
Size

412KB
MD5

b96d73c84ccbd9f3e1ec466891504108
SHA1

a894f16e89f3a92857700ee995c71072c01e2e97
SHA256

52529731c9efe8195b73ccff56562453b513d85d85b5bc2643e91cc1431a15ad
SHA512

eef43a7e1ef99120d7b22daaa9d5ab216b6620d91aac0a1576f7e1f0db994e537c0ced4a9d0b388eeab69a51142ecd66870ed753ecaf6d4adbeacd8d9eec27ee
SSDEEP

6144:2Wmw0EuCN0pLWgTO3x5N22vWvLRKKAX5l++SybIvCKp4p3bpyjzx4oQD4Slg:2WkEuCaNT85I2vCMX5l+ZRvnfd

Score

10^/10

cryptolocker persistence ransomware

Malware Config

Signatures

CryptoLocker
Ransomware family with multiple variants.
ransomware cryptolocker

Deletes itself 1 IoCs

pid	Process
2720	{34184A33-0407-212E-3320-09040709E2C2}.exe

Executes dropped EXE 2 IoCs

pid	Process
2720	{34184A33-0407-212E-3320-09040709E2C2}.exe
2520	{34184A33-0407-212E-3320-09040709E2C2}.exe

Loads dropped DLL 2 IoCs

pid	Process
2272	b96d73c84ccbd9f3e1ec466891504108.exe
2720	{34184A33-0407-212E-3320-09040709E2C2}.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\CryptoLocker = "C:\\Users\\Admin\\AppData\\Roaming\\{34184A33-0407-212E-3320-09040709E2C2}.exe"	{34184A33-0407-212E-3320-09040709E2C2}.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 2720	2272	b96d73c84ccbd9f3e1ec466891504108.exe	28
PID 2272 wrote to memory of 2720	2272	b96d73c84ccbd9f3e1ec466891504108.exe	28
PID 2272 wrote to memory of 2720	2272	b96d73c84ccbd9f3e1ec466891504108.exe	28
PID 2272 wrote to memory of 2720	2272	b96d73c84ccbd9f3e1ec466891504108.exe	28
PID 2720 wrote to memory of 2520	2720	{34184A33-0407-212E-3320-09040709E2C2}.exe	29
PID 2720 wrote to memory of 2520	2720	{34184A33-0407-212E-3320-09040709E2C2}.exe	29
PID 2720 wrote to memory of 2520	2720	{34184A33-0407-212E-3320-09040709E2C2}.exe	29
PID 2720 wrote to memory of 2520	2720	{34184A33-0407-212E-3320-09040709E2C2}.exe	29

C:\Users\Admin\AppData\Local\Temp\b96d73c84ccbd9f3e1ec466891504108.exe
"C:\Users\Admin\AppData\Local\Temp\b96d73c84ccbd9f3e1ec466891504108.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
  "C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" "/rC:\Users\Admin\AppData\Local\Temp\b96d73c84ccbd9f3e1ec466891504108.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
    "C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w000000C8
    3⤵
    - Executes dropped EXE
    PID:2520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe

Filesize
412KB

MD5
b96d73c84ccbd9f3e1ec466891504108

SHA1
a894f16e89f3a92857700ee995c71072c01e2e97

SHA256
52529731c9efe8195b73ccff56562453b513d85d85b5bc2643e91cc1431a15ad

SHA512
eef43a7e1ef99120d7b22daaa9d5ab216b6620d91aac0a1576f7e1f0db994e537c0ced4a9d0b388eeab69a51142ecd66870ed753ecaf6d4adbeacd8d9eec27ee

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads