Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25-01-2024 15:36
Static task
static1
Behavioral task
behavioral1
Sample
2024-01-25_6f403dddf26e8e95554e0b18e3d6a0cc_cryptolocker.exe
Resource
win7-20231215-en
General
-
Target
2024-01-25_6f403dddf26e8e95554e0b18e3d6a0cc_cryptolocker.exe
-
Size
31KB
-
MD5
6f403dddf26e8e95554e0b18e3d6a0cc
-
SHA1
546de8c03bfed2b884cbee5c7f142fec269aed1c
-
SHA256
b926658227ec1a05d3f20bee63cfa53b71238913baa5ed266a704e7f6f2826c9
-
SHA512
0034e85034bdee349420dcd8a2ee55e15c48b97e5621f16664bf71d94a9aaf0d06fc2417fd579458a607981d6260af4d5b1065b9e6c8a6e2c9a7038f0c0fc5f7
-
SSDEEP
384:bM7Q0pjC4GybxMv01d3AcASBQMf6i/zzzcYgUPSznUsDvE:b/yC4GyNM01GuQMNXw2PSjZc
Malware Config
Signatures
-
Detection of CryptoLocker Variants 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\retln.exe CryptoLocker_rule2 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2024-01-25_6f403dddf26e8e95554e0b18e3d6a0cc_cryptolocker.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation 2024-01-25_6f403dddf26e8e95554e0b18e3d6a0cc_cryptolocker.exe -
Executes dropped EXE 1 IoCs
Processes:
retln.exepid process 1816 retln.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
2024-01-25_6f403dddf26e8e95554e0b18e3d6a0cc_cryptolocker.exedescription pid process target process PID 2328 wrote to memory of 1816 2328 2024-01-25_6f403dddf26e8e95554e0b18e3d6a0cc_cryptolocker.exe retln.exe PID 2328 wrote to memory of 1816 2328 2024-01-25_6f403dddf26e8e95554e0b18e3d6a0cc_cryptolocker.exe retln.exe PID 2328 wrote to memory of 1816 2328 2024-01-25_6f403dddf26e8e95554e0b18e3d6a0cc_cryptolocker.exe retln.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_6f403dddf26e8e95554e0b18e3d6a0cc_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-01-25_6f403dddf26e8e95554e0b18e3d6a0cc_cryptolocker.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Users\Admin\AppData\Local\Temp\retln.exe"C:\Users\Admin\AppData\Local\Temp\retln.exe"2⤵
- Executes dropped EXE
PID:1816
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\retln.exeFilesize
31KB
MD5613c73c528adbcf26ea87fbbe1a97a02
SHA14278e9fa93a4d5e57d09828e36397eb52d9356ad
SHA2565297b43a515ebf2e0646903455a556a393f0758bddbfcfee75f7c989b246356e
SHA512e72d8bc213da25400286b9c57de27bef1d555e5bcc21effe801a7fbad7273fab226935be61928a85c8008de99ffd1b72f7a99339adf4f3c7e74a728b38bfdd24
-
memory/1816-25-0x0000000002D60000-0x0000000002D66000-memory.dmpFilesize
24KB
-
memory/2328-0-0x0000000002EA0000-0x0000000002EA6000-memory.dmpFilesize
24KB
-
memory/2328-1-0x0000000002EA0000-0x0000000002EA6000-memory.dmpFilesize
24KB
-
memory/2328-2-0x0000000000400000-0x0000000000406000-memory.dmpFilesize
24KB