cryptolocker

General

Target

WinRAR-ZIP-Archiv (neu).zip
Size

661KB
Sample

240328-sar47sha3x
MD5

3fb9302a9bb732ead22e983216cf9ce2
SHA1

dde895a60d2e66a268ffca1e9c251cab6097a027
SHA256

c8b41de669363ff7fecae244b46fcc2455cf09c10fd783815094659f912ee326
SHA512

cabe19f842bda50b7d979f32217f3e95e6e0e2ac8b5827080939549e05931ee0a8cde9be7d41664a0be243b33dbddea1df0ccbebbf87004e801441a414f0ee39
SSDEEP

12288:dcjOSQr11lCeqDBLT1VFj/ofBWy0tVKmhxfQRcQ2qq0HKiDSfutT/a8PBN:uaSQJ1ll0V5ofx0tVKCxfQRcQ2EH2fuf

Score

10^/10

Malware Config

Targets

- Target
  
  215c37360388d16653ffc1740c639d486753a9db69a8ad4f3e1b172b1b712df4.exe.old
- Size
  
  32KB
- MD5
  
  9de48e7cfc2bc56631387e527f859efd
- SHA1
  
  959b863e84103132f89a10a7fd6981771881f763
- SHA256
  
  215c37360388d16653ffc1740c639d486753a9db69a8ad4f3e1b172b1b712df4
- SHA512
  
  0f899f44536b651b97204dd876013796c6835d0562d04c479ba3b73032ab15edc8307f9f2d96057a673a5f12be16e85a084dc73e6c76b73f8646e8f354bea2f7
- SSDEEP
  
  768:Kf1K2exg2kBwtdgI2MyzNORQtOflIwoHNV2XBFV72BOlA7ZsBGGpNEmK/4BM:o1KhxqwtdgI2MyzNORQtOflIwoHNV2Xo
Score

7^/10
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
behavioral1
- Target
  
  5e902a138174c34e5445685c82b2044e0b35565854471aaccef0315c77288dc9.exe.old
- Size
  
  208KB
- MD5
  
  12bc78e07cb69dd6ec32729240dbe537
- SHA1
  
  7b7d9b115ec10074f7166ec3379fead6e816da59
- SHA256
  
  5e902a138174c34e5445685c82b2044e0b35565854471aaccef0315c77288dc9
- SHA512
  
  c974592671b081d0af48c1aab9f9f02243773a081d9fadf70e3caa7454dca657b45bece27852397e74f601df1abdf5db496c821a5df624057355fd15c807e15a
- SSDEEP
  
  3072:GXbUMNAwQ2Jpo/AkQCUyevi8xRpz81NADJ2:ibUMKwQ2J4ReviSjeKN
Score

10^/10

cryptolocker ransomware
- CryptoLocker
  Ransomware family with multiple variants.
  ransomware cryptolocker
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral2
- Target
  
  8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe.old
- Size
  
  362KB
- MD5
  
  7fefb77a270715166ddd1e323695a9bd
- SHA1
  
  a8bf6a35a9605932332d44ff6983a83febb0b99f
- SHA256
  
  8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788
- SHA512
  
  de27be7ce7bc5443f0117d0cf0ec9e02266339a23c07a966baa741cd736d3539c7806801186fe3a940f843da4b0b4ebbd55e8c50d6c32c760ef578b17f48b121
- SSDEEP
  
  6144:XW8Abuyx83ECgS8DBN8+betvD0tU0qOixjuxduaZ2YjkwEL/S:m8uxp9C+SqiyduMzkwEr
Score

9^/10

ransomware spyware stealer
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Renames multiple (1975) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops file in System32 directory
behavioral3
- Target
  
  d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9.exe.old
- Size
  
  338KB
- MD5
  
  04fb36199787f2e3e2135611a38321eb
- SHA1
  
  65559245709fe98052eb284577f1fd61c01ad20d
- SHA256
  
  d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9
- SHA512
  
  533d6603f6e2a77bd1b2c6591a135c4717753d53317c1be06e43774e896d9543bcd0ea6904a0688aa84b2d8424641d68994b1e7dc4aa46d66c36feecb6145444
- SSDEEP
  
  6144:sWmw0EuCN0pLWgTO3x5N22vWvLRKKAX5l++SybIvC:sWkEuCaNT85I2vCMX5l+ZRv
Score

10^/10

cryptolocker persistence ransomware
- CryptoLocker
  Ransomware family with multiple variants.
  ransomware cryptolocker
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral4
- Target
  
  f8da280bb9f81028c14d1e156d6685cdb5f75219a60f645f72e520fb5e388712.exe.old
- Size
  
  15KB
- MD5
  
  aedb1ad5304921ac3883570ebb647a29
- SHA1
  
  eb91ca0baf1e7be6b538871714c727232a981acf
- SHA256
  
  f8da280bb9f81028c14d1e156d6685cdb5f75219a60f645f72e520fb5e388712
- SHA512
  
  6bbe14d668223b1b43e4ce9f7a75eb5892a2cd917b9e725edfda490113860a2ba8971cdbdef33e60a473fd0f831af1812ee6c4671f64be2c45958fa68fe4e88c
- SSDEEP
  
  384:nl+IiU+Xh2GFstXnzVmzN/Gv2utvWmIptYcFwVc03K:ox2GGtpG6NfctYcFwVc6K
Score

10^/10

persistence ransomware
- Modifies WinLogon for persistence
  persistence
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
behavioral5