6be70c12a7a0879e1fc176a0fbd425847989a291ab61dc1ddce0d731ec46e309

Analysis

max time kernel
2s
max time network
149s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-01-2024 17:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-25_259f9b58e5f27071472b5909427585c5_cryptolocker.exe
Size

32KB
MD5

259f9b58e5f27071472b5909427585c5
SHA1

b4da42c7aabb032efc1cec19394eb8c5b370f37e
SHA256

6be70c12a7a0879e1fc176a0fbd425847989a291ab61dc1ddce0d731ec46e309
SHA512

7079291937b07ca5f54c1222e4f1ebd33e6ec0ec28985c3257947c6e3e235ecea8c4ea082d8626b890de4908b99aeaf72894e7ae0a8a86b0e79da5b16ad00a53
SSDEEP

384:bM7Q0pjC4GybxMv01d3AcASBQMf6i/zzzcYgUPSznHzl6A0X/Xd:b/yC4GyNM01GuQMNXw2PSjH+PN

Score

9^/10

discovery

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x000c000000012321-10.dat	CryptoLocker_rule2

Executes dropped EXE 1 IoCs

pid	Process
2732	retln.exe

Loads dropped DLL 1 IoCs

pid	Process
1900	2024-01-25_259f9b58e5f27071472b5909427585c5_cryptolocker.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1900	2024-01-25_259f9b58e5f27071472b5909427585c5_cryptolocker.exe
2732	retln.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 2732	1900	2024-01-25_259f9b58e5f27071472b5909427585c5_cryptolocker.exe	28
PID 1900 wrote to memory of 2732	1900	2024-01-25_259f9b58e5f27071472b5909427585c5_cryptolocker.exe	28
PID 1900 wrote to memory of 2732	1900	2024-01-25_259f9b58e5f27071472b5909427585c5_cryptolocker.exe	28
PID 1900 wrote to memory of 2732	1900	2024-01-25_259f9b58e5f27071472b5909427585c5_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-01-25_259f9b58e5f27071472b5909427585c5_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-25_259f9b58e5f27071472b5909427585c5_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Users\Admin\AppData\Local\Temp\retln.exe
  "C:\Users\Admin\AppData\Local\Temp\retln.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\retln.exe

Filesize
32KB

MD5
1e03ae0437c4513a3b47918ab5776e0b

SHA1
0f1e86100d331039b61dc60d724a643b6897bc31

SHA256
9d1c947c419f5526bde951216608ef898e02492696146f5e2e33dd7ab26df1a5

SHA512
5c2856c89aec01e9e508e5a045eaf4f2cd3d335aa8c0aef530afdcca30d351b02fb15a4831321bf55ab853970f671ce607177a78e6143b5690a505a7da1cb511

Download Submit
memory/1900-0-0x0000000000380000-0x0000000000386000-memory.dmp

Filesize
24KB

Download
memory/1900-1-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1900-7-0x0000000000380000-0x0000000000386000-memory.dmp

Filesize
24KB

Download
memory/2732-17-0x0000000000310000-0x0000000000316000-memory.dmp

Filesize
24KB

Download