cryptolocker | d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9

General

Target

CryptoLocker.exe
Size

338KB
MD5

04fb36199787f2e3e2135611a38321eb
SHA1

65559245709fe98052eb284577f1fd61c01ad20d
SHA256

d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9
SHA512

533d6603f6e2a77bd1b2c6591a135c4717753d53317c1be06e43774e896d9543bcd0ea6904a0688aa84b2d8424641d68994b1e7dc4aa46d66c36feecb6145444
SSDEEP

6144:sWmw0EuCN0pLWgTO3x5N22vWvLRKKAX5l++SybIvC:sWkEuCaNT85I2vCMX5l+ZRv

Score

10^/10

cryptolocker discovery persistence ransomware

Malware Config

Signatures

CryptoLocker
Ransomware family with multiple variants.
ransomware cryptolocker
Cryptolocker family
cryptolocker

Downloads MZ/PE file 1 IoCs

flow	pid	Process
40	4296	Process not Found

Deletes itself 1 IoCs

pid	Process
1332	{34184A33-0407-212E-3320-09040709E2C2}.exe

Executes dropped EXE 2 IoCs

pid	Process
1332	{34184A33-0407-212E-3320-09040709E2C2}.exe
4536	{34184A33-0407-212E-3320-09040709E2C2}.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CryptoLocker = "C:\\Users\\Admin\\AppData\\Roaming\\{34184A33-0407-212E-3320-09040709E2C2}.exe"	{34184A33-0407-212E-3320-09040709E2C2}.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{34184A33-0407-212E-3320-09040709E2C2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{34184A33-0407-212E-3320-09040709E2C2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CryptoLocker.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4596	MicrosoftEdgeUpdate.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2064	EXCEL.EXE

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
2064	EXCEL.EXE
2064	EXCEL.EXE
2064	EXCEL.EXE
2064	EXCEL.EXE
2064	EXCEL.EXE
2064	EXCEL.EXE
2064	EXCEL.EXE
2064	EXCEL.EXE
2064	EXCEL.EXE
2064	EXCEL.EXE
2064	EXCEL.EXE
2064	EXCEL.EXE
2064	EXCEL.EXE

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2824 wrote to memory of 1332	2824	CryptoLocker.exe	87
PID 2824 wrote to memory of 1332	2824	CryptoLocker.exe	87
PID 2824 wrote to memory of 1332	2824	CryptoLocker.exe	87
PID 1332 wrote to memory of 4536	1332	{34184A33-0407-212E-3320-09040709E2C2}.exe	88
PID 1332 wrote to memory of 4536	1332	{34184A33-0407-212E-3320-09040709E2C2}.exe	88
PID 1332 wrote to memory of 4536	1332	{34184A33-0407-212E-3320-09040709E2C2}.exe	88

C:\Users\Admin\AppData\Local\Temp\CryptoLocker.exe
"C:\Users\Admin\AppData\Local\Temp\CryptoLocker.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
  "C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" "/rC:\Users\Admin\AppData\Local\Temp\CryptoLocker.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1332
- - C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
    "C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w0000021C
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4536

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\RemoveGrant.xlsx"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2064

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NDQ2QzU1RjEtNUM3Ri00QTY5LUE4OEEtNzYyNzVFRjE5NkEwfSIgdXNlcmlkPSJ7NTNCNUE1NkEtMUMyMy00NEYyLUFERkEtMjE2QzE1QjRDOEVDfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NDk0RERDRkUtOEVFRS00NjhBLThEMkItRTA4Q0UyMDdEN0M1fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI4IiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDcxNzgiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxOTY4MDM3MTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0ODYyNTc4NjE1Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:4596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
297B

MD5
3f8acfc30de76e5bc1230f47ab87d662

SHA1
db6a20da32048611672c8b11a019972c25e431d0

SHA256
01c541b1ccda82b8a1f75f8647824bb8cf32209e46858c63a5bc0b26abf37e9d

SHA512
c44824f438a563b813574fa7ac7a44433d8529260de544275391c561cd1aa7826cbec0e1d3067eb8d66ac1f88e881cb92002b9f278b3d4e8d78fbc2722777f7d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
2KB

MD5
808b06062ee0887f7ffab3b5c8eb80b0

SHA1
a03695edb3fca076e20d328182242719f3c06390

SHA256
a8fc0aaf11e4506a794e5e7a66d1777d569988962b4330ca2071239857072d07

SHA512
096dfc9eea3aa308fb4f199bc89dbaad6c5524898a8469ee5027bd7a0b4293e6b667bc6f40b12eb54a3bcdb503fc5076b4ee69c583f4c89a2d15e042af00b3af

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
2KB

MD5
8536736b4f5c2be0b953e32db6e6446b

SHA1
d6a04a6075382837c57262806e537948f6c6f62b

SHA256
ecbe686ff2304cf8bad26f882f1764ecd64eab658a5ca1c6bc66d5c9227d3822

SHA512
9e6abe40a9ad21719f291901983f83fb97f4d983a360529d8496b929ab222bee4c787c8dda458e58d0d44b8e5f34521cb75f9acc255b7d1e49f72c809cc9b5b6

Download Submit
C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe

Filesize
338KB

MD5
04fb36199787f2e3e2135611a38321eb

SHA1
65559245709fe98052eb284577f1fd61c01ad20d

SHA256
d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9

SHA512
533d6603f6e2a77bd1b2c6591a135c4717753d53317c1be06e43774e896d9543bcd0ea6904a0688aa84b2d8424641d68994b1e7dc4aa46d66c36feecb6145444

Download Submit
memory/2064-6-0x00007FF9057D0000-0x00007FF9057E0000-memory.dmp

Filesize
64KB

Download
memory/2064-8-0x00007FF9057D0000-0x00007FF9057E0000-memory.dmp

Filesize
64KB

Download
memory/2064-7-0x00007FF9057D0000-0x00007FF9057E0000-memory.dmp

Filesize
64KB

Download
memory/2064-9-0x00007FF9057D0000-0x00007FF9057E0000-memory.dmp

Filesize
64KB

Download
memory/2064-10-0x00007FF9057D0000-0x00007FF9057E0000-memory.dmp

Filesize
64KB

Download
memory/2064-11-0x00007FF903570000-0x00007FF903580000-memory.dmp

Filesize
64KB

Download
memory/2064-12-0x00007FF903570000-0x00007FF903580000-memory.dmp

Filesize
64KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads