Analysis Overview
SHA256
3e6b5e3b5e794c5ed3fac5bf9fb824072730bf7e6816432132088386f186a3b3
Threat Level: Known bad
The file 2024-01-25_ea1c97d4a55233587d16fea3d2118c22_cryptolocker was found to be: Known bad.
Malicious Activity Summary
Kinsing
Detection of CryptoLocker Variants
Detection of CryptoLocker Variants
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Creates a large amount of network flows
Enumerates physical storage devices
Unsigned PE
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-25 17:40
Signatures
Detection of CryptoLocker Variants
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-25 17:40
Reported
2024-01-25 17:43
Platform
win7-20231215-en
Max time kernel
16s
Max time network
118s
Command Line
Signatures
Detection of CryptoLocker Variants
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\retln.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-01-25_ea1c97d4a55233587d16fea3d2118c22_cryptolocker.exe | N/A |
Creates a large amount of network flows
Enumerates physical storage devices
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-01-25_ea1c97d4a55233587d16fea3d2118c22_cryptolocker.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\retln.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1768 wrote to memory of 2700 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-01-25_ea1c97d4a55233587d16fea3d2118c22_cryptolocker.exe | C:\Users\Admin\AppData\Local\Temp\retln.exe |
| PID 1768 wrote to memory of 2700 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-01-25_ea1c97d4a55233587d16fea3d2118c22_cryptolocker.exe | C:\Users\Admin\AppData\Local\Temp\retln.exe |
| PID 1768 wrote to memory of 2700 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-01-25_ea1c97d4a55233587d16fea3d2118c22_cryptolocker.exe | C:\Users\Admin\AppData\Local\Temp\retln.exe |
| PID 1768 wrote to memory of 2700 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-01-25_ea1c97d4a55233587d16fea3d2118c22_cryptolocker.exe | C:\Users\Admin\AppData\Local\Temp\retln.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-01-25_ea1c97d4a55233587d16fea3d2118c22_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-25_ea1c97d4a55233587d16fea3d2118c22_cryptolocker.exe"
C:\Users\Admin\AppData\Local\Temp\retln.exe
"C:\Users\Admin\AppData\Local\Temp\retln.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
Files
memory/1768-0-0x0000000000410000-0x0000000000416000-memory.dmp
memory/1768-1-0x0000000000400000-0x0000000000406000-memory.dmp
memory/1768-8-0x0000000000410000-0x0000000000416000-memory.dmp
\Users\Admin\AppData\Local\Temp\retln.exe
| MD5 | 62cc778e5f787e41e077c63cf9b7d2cb |
| SHA1 | 3ed1e59f498e3044b9a56d6ae7d98156b262330a |
| SHA256 | 6131bff917f0b6b21e967a1f77cb99f4482e092d71495a57fef69a6947e95562 |
| SHA512 | 4877be93aada7e78cb00043c23ebe2e065b0b312512bdfadea6ec31181186bfaac22833d6f1d7581507790b3bfeb9d44a7abfd763dee2745348b994a97e95d3a |
memory/2700-20-0x0000000000310000-0x0000000000316000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-25 17:40
Reported
2024-01-25 17:43
Platform
win10v2004-20231222-en
Max time kernel
150s
Max time network
149s
Command Line
Signatures
Kinsing
Detection of CryptoLocker Variants
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2024-01-25_ea1c97d4a55233587d16fea3d2118c22_cryptolocker.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\retln.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2616 wrote to memory of 2760 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-01-25_ea1c97d4a55233587d16fea3d2118c22_cryptolocker.exe | C:\Users\Admin\AppData\Local\Temp\retln.exe |
| PID 2616 wrote to memory of 2760 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-01-25_ea1c97d4a55233587d16fea3d2118c22_cryptolocker.exe | C:\Users\Admin\AppData\Local\Temp\retln.exe |
| PID 2616 wrote to memory of 2760 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-01-25_ea1c97d4a55233587d16fea3d2118c22_cryptolocker.exe | C:\Users\Admin\AppData\Local\Temp\retln.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-01-25_ea1c97d4a55233587d16fea3d2118c22_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-25_ea1c97d4a55233587d16fea3d2118c22_cryptolocker.exe"
C:\Users\Admin\AppData\Local\Temp\retln.exe
"C:\Users\Admin\AppData\Local\Temp\retln.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
Files
memory/2616-0-0x0000000002340000-0x0000000002346000-memory.dmp
memory/2616-1-0x0000000002340000-0x0000000002346000-memory.dmp
memory/2616-2-0x0000000000400000-0x0000000000406000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\retln.exe
| MD5 | 62cc778e5f787e41e077c63cf9b7d2cb |
| SHA1 | 3ed1e59f498e3044b9a56d6ae7d98156b262330a |
| SHA256 | 6131bff917f0b6b21e967a1f77cb99f4482e092d71495a57fef69a6947e95562 |
| SHA512 | 4877be93aada7e78cb00043c23ebe2e065b0b312512bdfadea6ec31181186bfaac22833d6f1d7581507790b3bfeb9d44a7abfd763dee2745348b994a97e95d3a |
memory/2760-21-0x0000000000500000-0x0000000000506000-memory.dmp