d1c719a0e6153fe19a841fc20e46855533296c2a4acc8138e05af05653999ff6

Analysis

max time kernel
7s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
10-01-2024 05:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-09_4ac284cb902670c5ddbc1354ea51b97a_cryptolocker.exe
Size

32KB
MD5

4ac284cb902670c5ddbc1354ea51b97a
SHA1

fdde7fba2342b89bc7f03baadbcff3dc8411b262
SHA256

d1c719a0e6153fe19a841fc20e46855533296c2a4acc8138e05af05653999ff6
SHA512

01ea1cc18b9fae32fe396484fa751c1e00e0834ab0d706c4bb9299f3d4a87ed16fdbc683c650bc7f996d96dc102c738923c5976510cb6cdc54ec3c0416596146
SSDEEP

384:bM7Q0pjC4GybxMv01d3AcASBQMf6i/zzzcYgUPSznStEEr9VE/n:b/yC4GyNM01GuQMNXw2PSjSKEBVE/n

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1108	retln.exe

Loads dropped DLL 1 IoCs

pid	Process
1872	2024-01-09_4ac284cb902670c5ddbc1354ea51b97a_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1872	2024-01-09_4ac284cb902670c5ddbc1354ea51b97a_cryptolocker.exe
1108	retln.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1872 wrote to memory of 1108	1872	2024-01-09_4ac284cb902670c5ddbc1354ea51b97a_cryptolocker.exe	28
PID 1872 wrote to memory of 1108	1872	2024-01-09_4ac284cb902670c5ddbc1354ea51b97a_cryptolocker.exe	28
PID 1872 wrote to memory of 1108	1872	2024-01-09_4ac284cb902670c5ddbc1354ea51b97a_cryptolocker.exe	28
PID 1872 wrote to memory of 1108	1872	2024-01-09_4ac284cb902670c5ddbc1354ea51b97a_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-01-09_4ac284cb902670c5ddbc1354ea51b97a_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-09_4ac284cb902670c5ddbc1354ea51b97a_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1872
- C:\Users\Admin\AppData\Local\Temp\retln.exe
  "C:\Users\Admin\AppData\Local\Temp\retln.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:1108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\retln.exe

Filesize
32KB

MD5
5392fb01504ee1ca1523a692c1d1dde6

SHA1
b5643ffa95540147d7ca503e80ddc53a7fcf2e93

SHA256
65aad8239a7dc242bacfbd23678ca9515916f80ee3f175273cb08a171ec80daa

SHA512
fa286da2edabd2f4637f8f3345defcb85c5cf3494410ce54842795401f25c003b77a7a4fccacb622b0a98393b03719c58ec6cb71e409c0567f66217224dcbe3c

Download Submit
memory/1108-23-0x00000000002F0000-0x00000000002F6000-memory.dmp

Filesize
24KB

Download
memory/1872-0-0x0000000000340000-0x0000000000346000-memory.dmp

Filesize
24KB

Download
memory/1872-1-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1872-7-0x0000000000340000-0x0000000000346000-memory.dmp

Filesize
24KB

Download