cryptolocker | 73ab84178a6cddd1589f0d9ba8634dbcbd3dec886ed280a836d302a023a9fc9f

Analysis

max time kernel
187s
max time network
161s
platform
windows11-21h2_x64
resource
win11-20250314-en
resource tags

arch:x64arch:x86image:win11-20250314-enlocale:en-usos:windows11-21h2-x64system
submitted
25/03/2025, 21:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ransomware.rar
Size

2.0MB
MD5

be9234c7da40177c8ac943cfa675a9ce
SHA1

debe723432e936459324cd3a3dd36a79a69b6389
SHA256

73ab84178a6cddd1589f0d9ba8634dbcbd3dec886ed280a836d302a023a9fc9f
SHA512

76189183d32c041a7c23191ea74b8bc22fe94d04808e11b9943b111fb592325fda0784e8a2832d6dfc980e947b07a02ad8a3934380f18de4cfd7fb0b6dbe554c
SSDEEP

49152:OolgsK4DPhW3GaMrnPO1+WCanyw9uJb49xiSXRzxklk:OolDK4DYWaCOiatuSvh9klk

Score

10^/10

cryptolocker ransomware

Malware Config

Signatures

CryptoLocker
Ransomware family with multiple variants.
ransomware cryptolocker
Cryptolocker family
cryptolocker

Executes dropped EXE 3 IoCs

pid	Process
5188	Ransomware.exe
4088	Ransomware.exe
1632	Ransomware.exe

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
19	checkip.amazonaws.com
6	checkip.amazonaws.com
7	checkip.amazonaws.com
11	checkip.amazonaws.com

Detects videocard installed 1 TTPs 2 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1156	wmic.exe
348	wmic.exe

Modifies registry class 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

Modifies system certificate store 2 TTPs 8 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Ransomware.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	Ransomware.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb658140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	Ransomware.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 5c000000010000000400000000080000190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e76200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb65809000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e650040000000100000010000000324a4bbbc863699bbe749ac6dd1d46242000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	Ransomware.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\SystemCertificates\CA\Certificates\9E99A48A9960B14926BB7F3B02E22DA2B0AB7280	Ransomware.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\SystemCertificates\CA\Certificates\9E99A48A9960B14926BB7F3B02E22DA2B0AB7280\Blob = 0300000001000000140000009e99a48a9960b14926bb7f3b02e22da2b0ab72801400000001000000140000009c5f00dfaa01d7302b3888a2b86d4a9cf2119183040000000100000010000000c6150925cfea5941ddc7ff2a0a5066920f00000001000000200000008408d5e5010ab8da67eb33a7d79ace944dd0ac103ae6ead3ff30dec571066b0319000000010000001000000014d4b19434670e6dc091d154abb20edc5c000000010000000400000000080000180000000100000010000000fd960962ac6938e0d4b0769aa1a64e26200000000100000079040000308204753082035da003020102020900a70e4a4c3482b77f300d06092a864886f70d01010b05003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3039303930323030303030305a170d3334303632383137333931365a308198310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e313b303906035504031332537461726669656c6420536572766963657320526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100d50c3ac42af94ee2f5be19975f8e8853b11f3fcbcf9f20136d293ac80f7d3cf76b763863d93660a89b5e5c0080b22f597ff687f9254386e7691b529a90e171e3d82d0d4e6ff6c849d9b6f31a56ae2bb67414ebcffb26e31aba1d962e6a3b5894894756ff25a093705383da847414c3679e04683adf8e405a1d4a4ecf43913be756d60070cb52ee7b7dae3ae7bc31f945f6c260cf1359022b80cc3447dfb9de90656d02cf2c91a6a6e7de8518497c664ea33a6da9b5ee342eba0d03b833df47ebb16b8d25d99bce81d1454632967087de020e494385b66c73bb64ea6141acc9d454df872fc722b226cc9f5954689ffcbe2a2fc4551c75406017850255398b7f050203010001a381f03081ed300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604149c5f00dfaa01d7302b3888a2b86d4a9cf2119183301f0603551d23041830168014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7304f06082b0601050507010104433041301c06082b060105050730018610687474703a2f2f6f2e7373322e75732f302106082b060105050730028615687474703a2f2f782e7373322e75732f782e63657230260603551d1f041f301d301ba019a0178615687474703a2f2f732e7373322e75732f722e63726c30110603551d20040a300830060604551d2000300d06092a864886f70d01010b05000382010100231de38a57ca7de917794cf11e55fdcc536e3e470fdfc655f2b20436ed801f53c45d34286bbec755fc67eacb3f7f90b233cd1b58108202f8f82ff51360d405cef18108c1dda775974f18b96ddef7939108ba7e402cedc1eabb769e3306771d0d087f53dd1b64ab8227f169d54d5eaef4a1c375a758442df23c7098acba69b695777f0f315e2cfca0873a4769f0795ff41454a4955e1178126027ce9fc277ff2353775dbaffea59e7dbcfaf9296ef249a35107a9c91c60e7d99f63f19dff57254e115a907597b83bf522e468cb20064761c48d3d879e86e56ccae2c0390d7193899e4ca09195bff0796b0a87f3449df56a9f7b05fed33ed8c47b730035df4038c	Ransomware.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	Ransomware.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Ransomware.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4156	powershell.exe
4156	powershell.exe
2800	powershell.exe
2800	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	5316	7zFM.exe
Token: 35	5316	7zFM.exe
Token: SeSecurityPrivilege	5316	7zFM.exe
Token: SeIncreaseQuotaPrivilege	1640	wmic.exe
Token: SeSecurityPrivilege	1640	wmic.exe
Token: SeTakeOwnershipPrivilege	1640	wmic.exe
Token: SeLoadDriverPrivilege	1640	wmic.exe
Token: SeSystemProfilePrivilege	1640	wmic.exe
Token: SeSystemtimePrivilege	1640	wmic.exe
Token: SeProfSingleProcessPrivilege	1640	wmic.exe
Token: SeIncBasePriorityPrivilege	1640	wmic.exe
Token: SeCreatePagefilePrivilege	1640	wmic.exe
Token: SeBackupPrivilege	1640	wmic.exe
Token: SeRestorePrivilege	1640	wmic.exe
Token: SeShutdownPrivilege	1640	wmic.exe
Token: SeDebugPrivilege	1640	wmic.exe
Token: SeSystemEnvironmentPrivilege	1640	wmic.exe
Token: SeRemoteShutdownPrivilege	1640	wmic.exe
Token: SeUndockPrivilege	1640	wmic.exe
Token: SeManageVolumePrivilege	1640	wmic.exe
Token: 33	1640	wmic.exe
Token: 34	1640	wmic.exe
Token: 35	1640	wmic.exe
Token: 36	1640	wmic.exe
Token: SeIncreaseQuotaPrivilege	1640	wmic.exe
Token: SeSecurityPrivilege	1640	wmic.exe
Token: SeTakeOwnershipPrivilege	1640	wmic.exe
Token: SeLoadDriverPrivilege	1640	wmic.exe
Token: SeSystemProfilePrivilege	1640	wmic.exe
Token: SeSystemtimePrivilege	1640	wmic.exe
Token: SeProfSingleProcessPrivilege	1640	wmic.exe
Token: SeIncBasePriorityPrivilege	1640	wmic.exe
Token: SeCreatePagefilePrivilege	1640	wmic.exe
Token: SeBackupPrivilege	1640	wmic.exe
Token: SeRestorePrivilege	1640	wmic.exe
Token: SeShutdownPrivilege	1640	wmic.exe
Token: SeDebugPrivilege	1640	wmic.exe
Token: SeSystemEnvironmentPrivilege	1640	wmic.exe
Token: SeRemoteShutdownPrivilege	1640	wmic.exe
Token: SeUndockPrivilege	1640	wmic.exe
Token: SeManageVolumePrivilege	1640	wmic.exe
Token: 33	1640	wmic.exe
Token: 34	1640	wmic.exe
Token: 35	1640	wmic.exe
Token: 36	1640	wmic.exe
Token: SeIncreaseQuotaPrivilege	6048	wmic.exe
Token: SeSecurityPrivilege	6048	wmic.exe
Token: SeTakeOwnershipPrivilege	6048	wmic.exe
Token: SeLoadDriverPrivilege	6048	wmic.exe
Token: SeSystemProfilePrivilege	6048	wmic.exe
Token: SeSystemtimePrivilege	6048	wmic.exe
Token: SeProfSingleProcessPrivilege	6048	wmic.exe
Token: SeIncBasePriorityPrivilege	6048	wmic.exe
Token: SeCreatePagefilePrivilege	6048	wmic.exe
Token: SeBackupPrivilege	6048	wmic.exe
Token: SeRestorePrivilege	6048	wmic.exe
Token: SeShutdownPrivilege	6048	wmic.exe
Token: SeDebugPrivilege	6048	wmic.exe
Token: SeSystemEnvironmentPrivilege	6048	wmic.exe
Token: SeRemoteShutdownPrivilege	6048	wmic.exe
Token: SeUndockPrivilege	6048	wmic.exe
Token: SeManageVolumePrivilege	6048	wmic.exe
Token: 33	6048	wmic.exe
Token: 34	6048	wmic.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
5316	7zFM.exe
5316	7zFM.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2848	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 5188	2408	cmd.exe	86
PID 2408 wrote to memory of 5188	2408	cmd.exe	86
PID 2408 wrote to memory of 4088	2408	cmd.exe	88
PID 2408 wrote to memory of 4088	2408	cmd.exe	88
PID 4088 wrote to memory of 1640	4088	Ransomware.exe	89
PID 4088 wrote to memory of 1640	4088	Ransomware.exe	89
PID 4088 wrote to memory of 6048	4088	Ransomware.exe	91
PID 4088 wrote to memory of 6048	4088	Ransomware.exe	91
PID 4088 wrote to memory of 1156	4088	Ransomware.exe	92
PID 4088 wrote to memory of 1156	4088	Ransomware.exe	92
PID 4088 wrote to memory of 1996	4088	Ransomware.exe	93
PID 4088 wrote to memory of 1996	4088	Ransomware.exe	93
PID 4088 wrote to memory of 4080	4088	Ransomware.exe	94
PID 4088 wrote to memory of 4080	4088	Ransomware.exe	94
PID 4088 wrote to memory of 3932	4088	Ransomware.exe	95
PID 4088 wrote to memory of 3932	4088	Ransomware.exe	95
PID 4088 wrote to memory of 4156	4088	Ransomware.exe	96
PID 4088 wrote to memory of 4156	4088	Ransomware.exe	96
PID 2408 wrote to memory of 1632	2408	cmd.exe	102
PID 2408 wrote to memory of 1632	2408	cmd.exe	102
PID 1632 wrote to memory of 3956	1632	Ransomware.exe	103
PID 1632 wrote to memory of 3956	1632	Ransomware.exe	103
PID 1632 wrote to memory of 5820	1632	Ransomware.exe	105
PID 1632 wrote to memory of 5820	1632	Ransomware.exe	105
PID 1632 wrote to memory of 348	1632	Ransomware.exe	106
PID 1632 wrote to memory of 348	1632	Ransomware.exe	106
PID 1632 wrote to memory of 772	1632	Ransomware.exe	107
PID 1632 wrote to memory of 772	1632	Ransomware.exe	107
PID 1632 wrote to memory of 248	1632	Ransomware.exe	109
PID 1632 wrote to memory of 248	1632	Ransomware.exe	109
PID 1632 wrote to memory of 1728	1632	Ransomware.exe	110
PID 1632 wrote to memory of 1728	1632	Ransomware.exe	110
PID 1632 wrote to memory of 2800	1632	Ransomware.exe	111
PID 1632 wrote to memory of 2800	1632	Ransomware.exe	111

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Ransomware.rar"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5316

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:4476

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Users\Admin\Desktop\Ransomware.exe
  Ransomware.exe
  2⤵
  - Executes dropped EXE
  PID:5188
- C:\Users\Admin\Desktop\Ransomware.exe
  Ransomware.exe
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of WriteProcessMemory
  PID:4088
- - C:\Windows\System32\Wbem\wmic.exe
    wmic csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1640
- - C:\Windows\System32\Wbem\wmic.exe
    wmic cpu get name
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:6048
- - C:\Windows\System32\Wbem\wmic.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:1156
- - C:\Windows\System32\Wbem\wmic.exe
    wmic memorychip get capacity
    3⤵
    PID:1996
- - C:\Windows\System32\Wbem\wmic.exe
    wmic logicaldisk where drivetype=3 get size,freespace
    3⤵
    PID:4080
- - C:\Windows\system32\cmd.exe
    cmd /c ver
    3⤵
    PID:3932
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-MpComputerStatus
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4156
- C:\Users\Admin\Desktop\Ransomware.exe
  Ransomware.exe
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of WriteProcessMemory
  PID:1632
- - C:\Windows\System32\Wbem\wmic.exe
    wmic csproduct get uuid
    3⤵
    PID:3956
- - C:\Windows\System32\Wbem\wmic.exe
    wmic cpu get name
    3⤵
    PID:5820
- - C:\Windows\System32\Wbem\wmic.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:348
- - C:\Windows\System32\Wbem\wmic.exe
    wmic memorychip get capacity
    3⤵
    PID:772
- - C:\Windows\System32\Wbem\wmic.exe
    wmic logicaldisk where drivetype=3 get size,freespace
    3⤵
    PID:248
- - C:\Windows\system32\cmd.exe
    cmd /c ver
    3⤵
    PID:1728
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-MpComputerStatus
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2800

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2848

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1a9fa92a4f2e2ec9e244d43a6a4f8fb9

SHA1
9910190edfaccece1dfcc1d92e357772f5dae8f7

SHA256
0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

SHA512
5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\69227ffe-f57e-4f04-ba56-f414ea8e9a0c.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
23KB

MD5
e4502e12eddb65147ccb0c39021d5c54

SHA1
e0c340c26168e569ed1b09955e386922b9c76fc0

SHA256
ca1d08100dade9a95b1f93a37ac07587d9dca6866a8cb87436aadd5d29c86d6c

SHA512
9619f8745eaa0f18f6372258d3e7e068c0347fb1effa578bff7d173d6ee49507610316036c712834f8e336a01e95ba8d6ba8270ae1a439481877cc37b51405fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_m35fsdre.5jp.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Desktop\DECRYPT_INSTRUCTIONS.txt

Filesize
79B

MD5
ed0a365f7c573e01e32438e174787b49

SHA1
1efadd3b97535dda8dcf05b7a0c0e7e98280ccc0

SHA256
faadea8971c2dfae82cb9c3a7daf87a854bc7e066ce7fec05e18518aa2b90f81

SHA512
951cb87cbeb0d44686525769fa9e8cc12fbb752d018e19efe211a56c9edef255844e87c134d04f778233602c973548a89e477d3f0e506562a8bba59228b0b706

Download Submit
C:\Users\Admin\Desktop\Ransomware.exe

Filesize
5.8MB

MD5
4d9821dbd232afd7f1435b00604f3627

SHA1
42982f1ed1462a45ac3c255e804b589d09a492e8

SHA256
ebe0048a9c5ba9f0fcc032c7e7c2c5f70a30aefccbfa96820ebd6d53e912f6e1

SHA512
5bcd5ccffd259b132924146860a49a46465a41db67e4f16ab0284cce8928cce3e93f5269e08096f92c2d6de6a3c32b2f071f05667f1f424e2db6dea1af8b5329

Download Submit
memory/4156-28-0x0000022A2F180000-0x0000022A2F1A2000-memory.dmp

Filesize
136KB

Download