583a5315717318261c3563a11af539ea392a2b88a52bce6e93465a2919a67535

Analysis

max time kernel
8s
max time network
139s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
07-01-2024 12:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-06_9ec818c12aa6c48167beaec35fb60826_cryptolocker.exe
Size

38KB
MD5

9ec818c12aa6c48167beaec35fb60826
SHA1

7ebe54ffc9b54c341aeec40b5a0e8812b3dca253
SHA256

583a5315717318261c3563a11af539ea392a2b88a52bce6e93465a2919a67535
SHA512

99e208d048bc960dccd29ec2f577004f2570bf2772a38771be94a0e7d08621956e1bfccfc1930877b66887150414eb47a81c195437564a73e768306145ee0813
SSDEEP

384:bM7Q0pjC4GybxMv01d3AcASBQMf6i/zzzcYgUPSznHzl6AJvDSuYlxub9zX:b/yC4GyNM01GuQMNXw2PSjHPbSuYl0p

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1984	retln.exe

Loads dropped DLL 1 IoCs

pid	Process
1456	2024-01-06_9ec818c12aa6c48167beaec35fb60826_cryptolocker.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1456	2024-01-06_9ec818c12aa6c48167beaec35fb60826_cryptolocker.exe
1984	retln.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1456 wrote to memory of 1984	1456	2024-01-06_9ec818c12aa6c48167beaec35fb60826_cryptolocker.exe	28
PID 1456 wrote to memory of 1984	1456	2024-01-06_9ec818c12aa6c48167beaec35fb60826_cryptolocker.exe	28
PID 1456 wrote to memory of 1984	1456	2024-01-06_9ec818c12aa6c48167beaec35fb60826_cryptolocker.exe	28
PID 1456 wrote to memory of 1984	1456	2024-01-06_9ec818c12aa6c48167beaec35fb60826_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-01-06_9ec818c12aa6c48167beaec35fb60826_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-06_9ec818c12aa6c48167beaec35fb60826_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1456
- C:\Users\Admin\AppData\Local\Temp\retln.exe
  "C:\Users\Admin\AppData\Local\Temp\retln.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:1984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\retln.exe

Filesize
38KB

MD5
c88c17880a8df435f709163a72c7c3ee

SHA1
b6ec00ba55763f75406950f6105214496d914272

SHA256
066c65079df9916efd8dc3a1a7ad90331054e1e937ac7fd4d7c7a460f37feaec

SHA512
11e662e44286233152186367a1d3ccdbe486183fa06fa3f371225dd4f71a087c208ff019af6eb5a66704836195cbb6eea4ea1148670178cfeb11727145fb4c82

Download Submit
memory/1456-0-0x00000000002B0000-0x00000000002B6000-memory.dmp

Filesize
24KB

Download
memory/1456-1-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1456-6-0x00000000002B0000-0x00000000002B6000-memory.dmp

Filesize
24KB

Download
memory/1984-21-0x0000000000270000-0x0000000000276000-memory.dmp

Filesize
24KB

Download