Analysis Overview
SHA256
d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9
Threat Level: Known bad
The file CryptoLocker.exe was found to be: Known bad.
Malicious Activity Summary
CryptoLocker
Cryptolocker family
Executes dropped EXE
Deletes itself
Loads dropped DLL
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 16:02
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 16:02
Reported
2024-11-10 16:05
Platform
win7-20240729-en
Max time kernel
150s
Max time network
149s
Command Line
Signatures
CryptoLocker
Cryptolocker family
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CryptoLocker.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\CryptoLocker = "C:\\Users\\Admin\\AppData\\Roaming\\{34184A33-0407-212E-3320-09040709E2C2}.exe" | C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\CryptoLocker.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\CryptoLocker.exe
"C:\Users\Admin\AppData\Local\Temp\CryptoLocker.exe"
C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" "/rC:\Users\Admin\AppData\Local\Temp\CryptoLocker.exe"
C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w000000C8
Network
| Country | Destination | Domain | Proto |
| US | 184.164.136.134:80 | tcp | |
| US | 8.8.8.8:53 | jfobwuyenejuti.biz | udp |
| US | 8.8.8.8:53 | wppqsalyenookh.ru | udp |
| US | 8.8.8.8:53 | ruuescsmibjwpa.org | udp |
| US | 8.8.8.8:53 | sqvyyhdyyyoixh.co.uk | udp |
| US | 8.8.8.8:53 | tasvrlxgmwvfpf.info | udp |
| US | 8.8.8.8:53 | uvtqxqisdubqoy.com | udp |
| US | 8.8.8.8:53 | pfyawwtajpjypj.net | udp |
| US | 8.8.8.8:53 | qbaudcemanokxj.biz | udp |
| US | 8.8.8.8:53 | rkwrvgytnlvhwh.ru | udp |
| US | 8.8.8.8:53 | sgxmcljgejbsvt.org | udp |
| US | 8.8.8.8:53 | cvnitmdcbmgmai.co.uk | udp |
| US | 8.8.8.8:53 | piitcuyqdjtcqe.info | udp |
| US | 8.8.8.8:53 | dellpcpdedfyxj.com | udp |
| US | 8.8.8.8:53 | qqgwxklrgasoxs.net | udp |
| US | 8.8.8.8:53 | xmrcftselfpghd.biz | udp |
| US | 8.8.8.8:53 | lymnncosncdvxg.ru | udp |
| US | 8.8.8.8:53 | yupfbjffovosxl.org | udp |
| US | 8.8.8.8:53 | mhkqjrbtqscixc.co.uk | udp |
| US | 8.8.8.8:53 | govmexyejvocav.info | udp |
| US | 8.8.8.8:53 | hmqlxgsnldevyc.com | udp |
| US | 8.8.8.8:53 | hwtpanlfmmnoxi.net | udp |
| US | 8.8.8.8:53 | iuootvfootdigf.biz | udp |
| US | 8.8.8.8:53 | cfagpfogtoxvvw.ru | udp |
| US | 8.8.8.8:53 | ddufjnipvvnpuk.org | udp |
| US | 8.8.8.8:53 | dnxjlubhwfwimq.co.uk | udp |
| US | 8.8.8.8:53 | elsifduqymmcuu.info | udp |
| US | 8.8.8.8:53 | igcyfllrrdjitw.com | udp |
| US | 8.8.8.8:53 | vswknqxmfthctm.net | udp |
| US | 8.8.8.8:53 | klaqebxfsjnhbd.biz | udp |
| US | 8.8.8.8:53 | xxucmgkagalbrc.ru | udp |
| US | 8.8.8.8:53 | ewgsqsbtcvscbu.org | udp |
| US | 8.8.8.8:53 | rjbeyxnopmqvbr.co.uk | udp |
| US | 8.8.8.8:53 | gcekpinhdcwbbc.info | udp |
| US | 8.8.8.8:53 | toyvxnacqsuuri.com | udp |
| US | 8.8.8.8:53 | mykdpwhiamccww.net | udp |
| US | 8.8.8.8:53 | nwfcjcrunnhrfw.biz | udp |
| US | 8.8.8.8:53 | oeiuomtvbsgbeo.ru | udp |
| US | 8.8.8.8:53 | pcdtireiotlqdb.org | udp |
| US | 8.8.8.8:53 | ipowbewkkflvsb.co.uk | udp |
| US | 8.8.8.8:53 | jnjvujhwxgqlbi.info | udp |
| US | 8.8.8.8:53 | kumoatjxllpust.com | udp |
| US | 8.8.8.8:53 | lshntytkymukrn.net | udp |
| US | 8.8.8.8:53 | nmxsntwfqddiik.biz | udp |
| US | 8.8.8.8:53 | bysevcstsaqxyg.ru | udp |
| US | 8.8.8.8:53 | ouvvjdcswftlyy.org | udp |
| US | 8.8.8.8:53 | chqhrlxhychbyi.co.uk | udp |
| US | 8.8.8.8:53 | lwcorbogfijlip.info | udp |
| US | 8.8.8.8:53 | yjwaajkuhfwbys.com | udp |
| US | 8.8.8.8:53 | mfarnkttlkaogd.net | udp |
| US | 8.8.8.8:53 | arudvspinhnegt.biz | udp |
| US | 8.8.8.8:53 | rfgwxfshymlxie.ru | udp |
| US | 8.8.8.8:53 | sdbvrnmqbtbrhk.org | udp |
| US | 8.8.8.8:53 | sneatoxufocbye.co.uk | udp |
| US | 8.8.8.8:53 | tlyynwrehvruhb.info | udp |
| US | 8.8.8.8:53 | ppkscmkinrrbwd.com | udp |
| US | 8.8.8.8:53 | qnfrvuerpyhuvq.net | udp |
| US | 8.8.8.8:53 | qxivxvpvttieuc.biz | udp |
| US | 8.8.8.8:53 | rvdurejfvbxxdg.ru | udp |
| US | 8.8.8.8:53 | twmjysfxhrxsml.org | udp |
| US | 8.8.8.8:53 | hjhuhxrsuivmmb.co.uk | udp |
| US | 8.8.8.8:53 | vckbxckrlnkbmf.info | udp |
| US | 8.8.8.8:53 | jofmghwmyeiude.com | udp |
| US | 8.8.8.8:53 | rhqfdawyvwevmt.net | udp |
| US | 8.8.8.8:53 | ftlqlfjtjncpmq.biz | udp |
| US | 8.8.8.8:53 | tmowcjcsasqetg.ru | udp |
| US | 8.8.8.8:53 | hyjikoonnjoxkm.org | udp |
| US | 8.8.8.8:53 | xpunjebopbqmpr.co.uk | udp |
| US | 8.8.8.8:53 | ynpmdjlbdcvcxr.info | udp |
| US | 8.8.8.8:53 | ausfingitwdupw.com | udp |
| US | 8.8.8.8:53 | bsnecsquhxikoj.net | udp |
| US | 8.8.8.8:53 | vayjnlspegwpet.biz | udp |
| US | 8.8.8.8:53 | wxtihqdcrhcfmb.ru | udp |
| US | 8.8.8.8:53 | xfwbmuxjicjxlr.org | udp |
| US | 8.8.8.8:53 | ydragaivvdonkl.co.uk | udp |
| US | 8.8.8.8:53 | ldnbljgamfstvq.info | udp |
| US | 8.8.8.8:53 | ynosbrcdinhamf.com | udp |
| US | 8.8.8.8:53 | mhxagysbvoggtd.net | udp |
| US | 8.8.8.8:53 | aryrvhoerwumti.biz | udp |
| US | 8.8.8.8:53 | htruwejbjyiors.ru | udp |
| US | 8.8.8.8:53 | uesmmmfefhwuia.org | udp |
| US | 8.8.8.8:53 | ixctrtvcsivbim.co.uk | udp |
| US | 8.8.8.8:53 | vidlhcrfoqkhik.info | udp |
| US | 8.8.8.8:53 | tivrktychtianc.com | udp |
| US | 8.8.8.8:53 | uewokcswdhqkme.net | udp |
| US | 8.8.8.8:53 | umgqfjldqdvmld.biz | udp |
| US | 8.8.8.8:53 | vihnfrfxmqewts.ru | udp |
| US | 8.8.8.8:53 | pyalvocdenxuuk.org | udp |
| US | 8.8.8.8:53 | qubivwvxabgftf.co.uk | udp |
| US | 8.8.8.8:53 | qdkkqeoenwlhls.info | udp |
| US | 8.8.8.8:53 | rylhqmiyjktrtb.com | udp |
| US | 8.8.8.8:53 | afeajagceeenuk.net | udp |
| US | 8.8.8.8:53 | npfryfsiqsdxus.biz | udp |
| US | 8.8.8.8:53 | cgovjpsplaomcc.ru | udp |
| US | 8.8.8.8:53 | pqpnyufvxonwsw.org | udp |
| US | 8.8.8.8:53 | vvituujdbxtiqp.co.uk | udp |
| US | 8.8.8.8:53 | jgjlkavjnmssqq.info | udp |
| US | 8.8.8.8:53 | xwspukvqitehqi.com | udp |
| US | 8.8.8.8:53 | lhthkpiwuidrhv.net | udp |
| US | 8.8.8.8:53 | ikmqikypysexjj.biz | udp |
| US | 8.8.8.8:53 | jgnnipjqlmcerf.ru | udp |
| US | 8.8.8.8:53 | klwmialdgoowqp.org | udp |
| US | 8.8.8.8:53 | lhxjifvesimdpu.co.uk | udp |
| US | 8.8.8.8:53 | ebqktfcqvmtsqu.info | udp |
| US | 8.8.8.8:53 | udp |
Files
\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
| MD5 | 04fb36199787f2e3e2135611a38321eb |
| SHA1 | 65559245709fe98052eb284577f1fd61c01ad20d |
| SHA256 | d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9 |
| SHA512 | 533d6603f6e2a77bd1b2c6591a135c4717753d53317c1be06e43774e896d9543bcd0ea6904a0688aa84b2d8424641d68994b1e7dc4aa46d66c36feecb6145444 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-10 16:02
Reported
2024-11-10 16:03
Platform
win10v2004-20241007-en
Max time kernel
46s
Max time network
47s
Command Line
Signatures
CryptoLocker
Cryptolocker family
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CryptoLocker = "C:\\Users\\Admin\\AppData\\Roaming\\{34184A33-0407-212E-3320-09040709E2C2}.exe" | C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\CryptoLocker.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\CryptoLocker.exe
"C:\Users\Admin\AppData\Local\Temp\CryptoLocker.exe"
C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" "/rC:\Users\Admin\AppData\Local\Temp\CryptoLocker.exe"
C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w0000021C
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 184.164.136.134:80 | tcp | |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xsujucmcfclsjka.ru | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lfpwwkifltqyjpv.org | udp |
| US | 8.8.8.8:53 | fynakphajiphoun.co.uk | udp |
| US | 8.8.8.8:53 | gwibxxbuptavnpn.info | udp |
| US | 8.8.8.8:53 | gdxdsftekceemyy.com | udp |
| US | 8.8.8.8:53 | hbsegnnyqnosuhq.net | udp |
| US | 8.8.8.8:53 | bhskwwwchpqjkyn.biz | udp |
| US | 8.8.8.8:53 | cfnlkfqwnbbxjbj.ru | udp |
| US | 8.8.8.8:53 | djxosudboupujtd.co.uk | udp |
| US | 8.8.8.8:53 | cjuptxnjkheprw.com | udp |
| US | 8.8.8.8:53 | dhtspghvhyufqr.net | udp |
Files
C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
| MD5 | 04fb36199787f2e3e2135611a38321eb |
| SHA1 | 65559245709fe98052eb284577f1fd61c01ad20d |
| SHA256 | d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9 |
| SHA512 | 533d6603f6e2a77bd1b2c6591a135c4717753d53317c1be06e43774e896d9543bcd0ea6904a0688aa84b2d8424641d68994b1e7dc4aa46d66c36feecb6145444 |