61c573f2cdcf8e5a2734408407559746774d5950e2ef874a38ba022d65d67bf5

Analysis

max time kernel
6s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
09-01-2024 06:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-08_4dbfb24ec6b9576ca1e5668e4c0619fe_cryptolocker.exe
Size

36KB
MD5

4dbfb24ec6b9576ca1e5668e4c0619fe
SHA1

7b8389f21d821e184736e5e8d43ad1d0b846c30f
SHA256

61c573f2cdcf8e5a2734408407559746774d5950e2ef874a38ba022d65d67bf5
SHA512

e7af818e7b87f56eed3cf0a3b73d08211e2554cf2b52fd0d415befb029ecac3c6d452b4a6817d1c71ed48234654cda471d9a7b2cbfc85f13dcc8eb1c44271988
SSDEEP

384:bM7Q0pjC4GybxMv01d3AcASBQMf6i/zzzcYgUPSznHzl6AJvDSuYlb:b/yC4GyNM01GuQMNXw2PSjHPbSuYlb

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	2024-01-08_4dbfb24ec6b9576ca1e5668e4c0619fe_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
2724	retln.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3996 wrote to memory of 2724	3996	2024-01-08_4dbfb24ec6b9576ca1e5668e4c0619fe_cryptolocker.exe	35
PID 3996 wrote to memory of 2724	3996	2024-01-08_4dbfb24ec6b9576ca1e5668e4c0619fe_cryptolocker.exe	35
PID 3996 wrote to memory of 2724	3996	2024-01-08_4dbfb24ec6b9576ca1e5668e4c0619fe_cryptolocker.exe	35

C:\Users\Admin\AppData\Local\Temp\2024-01-08_4dbfb24ec6b9576ca1e5668e4c0619fe_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-08_4dbfb24ec6b9576ca1e5668e4c0619fe_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3996
- C:\Users\Admin\AppData\Local\Temp\retln.exe
  "C:\Users\Admin\AppData\Local\Temp\retln.exe"
  2⤵
  - Executes dropped EXE
  PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\retln.exe

Filesize
23KB

MD5
704f52f499f48a0bc677a6a8d51a421d

SHA1
f3a7d8121e4c4c7cb6e01b67dfe0b42cd0b718a0

SHA256
7528ec9416c6b1a77f7a540919ac58512438dee9e09be664811aa41c62a0d7b6

SHA512
4f4979435fda10123a77ab94997ab2c822ddf7e5a575e8fe2c5d1128d423da173d5e1883ade8866c5814e191ef1557b670a9e2816a59b7a1cbcbcc2885331656

Download Submit
C:\Users\Admin\AppData\Local\Temp\retln.exe

Filesize
1KB

MD5
733a2df7e5183c400c5fc4b721f988e4

SHA1
c935fbf3e365f478bb9ad7add8e68aa00b56fafa

SHA256
fa2402cbb504d9209d1794f1fbbad6bd183c41df9d1c8d3f24582b6f2fcf2c1e

SHA512
c51ae5d1078b1029da76008547bbad1574b11f581c9d53bd747afe560f05b2813d49345495db2b5e66db5eba880a3aa58b5ef10e3b0e5bad8ecf324020324904

Download Submit
C:\Users\Admin\AppData\Local\Temp\retln.exe

Filesize
10KB

MD5
204ffee836bb753707bfdd7b35e1c2cc

SHA1
2cb15e00f94a0243477f0d9b9a238d89387127ae

SHA256
6464512280e3d61dd11f370977b973c45a576352c0805fe83b615c2784bec7dd

SHA512
10f04df41b4e7a11d5df484e0aff449f4515e4216fdcd2d1706f935cfb6855c5f14b501c3f4889e102d4a21288255022199cd47a99ba09ee52f0a634821efddd

Download Submit
memory/2724-21-0x0000000000680000-0x0000000000686000-memory.dmp

Filesize
24KB

Download
memory/3996-0-0x0000000002EA0000-0x0000000002EA6000-memory.dmp

Filesize
24KB

Download
memory/3996-2-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/3996-1-0x0000000002EA0000-0x0000000002EA6000-memory.dmp

Filesize
24KB

Download