Analysis Overview
SHA256
6be70c12a7a0879e1fc176a0fbd425847989a291ab61dc1ddce0d731ec46e309
Threat Level: Known bad
The file 2024-01-25_259f9b58e5f27071472b5909427585c5_cryptolocker was found to be: Known bad.
Malicious Activity Summary
Kinsing
Detection of CryptoLocker Variants
Detection of CryptoLocker Variants
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Creates a large amount of network flows
Enumerates physical storage devices
Unsigned PE
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-25 17:44
Signatures
Detection of CryptoLocker Variants
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-25 17:44
Reported
2024-01-25 17:46
Platform
win10v2004-20231215-en
Max time kernel
150s
Max time network
147s
Command Line
Signatures
Kinsing
Detection of CryptoLocker Variants
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2024-01-25_259f9b58e5f27071472b5909427585c5_cryptolocker.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\retln.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 432 wrote to memory of 2068 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-01-25_259f9b58e5f27071472b5909427585c5_cryptolocker.exe | C:\Users\Admin\AppData\Local\Temp\retln.exe |
| PID 432 wrote to memory of 2068 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-01-25_259f9b58e5f27071472b5909427585c5_cryptolocker.exe | C:\Users\Admin\AppData\Local\Temp\retln.exe |
| PID 432 wrote to memory of 2068 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-01-25_259f9b58e5f27071472b5909427585c5_cryptolocker.exe | C:\Users\Admin\AppData\Local\Temp\retln.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-01-25_259f9b58e5f27071472b5909427585c5_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-25_259f9b58e5f27071472b5909427585c5_cryptolocker.exe"
C:\Users\Admin\AppData\Local\Temp\retln.exe
"C:\Users\Admin\AppData\Local\Temp\retln.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
Files
memory/432-0-0x0000000002EA0000-0x0000000002EA6000-memory.dmp
memory/432-1-0x0000000002EA0000-0x0000000002EA6000-memory.dmp
memory/432-2-0x0000000000400000-0x0000000000406000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\retln.exe
| MD5 | 1e03ae0437c4513a3b47918ab5776e0b |
| SHA1 | 0f1e86100d331039b61dc60d724a643b6897bc31 |
| SHA256 | 9d1c947c419f5526bde951216608ef898e02492696146f5e2e33dd7ab26df1a5 |
| SHA512 | 5c2856c89aec01e9e508e5a045eaf4f2cd3d335aa8c0aef530afdcca30d351b02fb15a4831321bf55ab853970f671ce607177a78e6143b5690a505a7da1cb511 |
memory/2068-20-0x0000000002D60000-0x0000000002D66000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-25 17:44
Reported
2024-01-25 17:46
Platform
win7-20231215-en
Max time kernel
2s
Max time network
149s
Command Line
Signatures
Detection of CryptoLocker Variants
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\retln.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-01-25_259f9b58e5f27071472b5909427585c5_cryptolocker.exe | N/A |
Creates a large amount of network flows
Enumerates physical storage devices
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-01-25_259f9b58e5f27071472b5909427585c5_cryptolocker.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\retln.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1900 wrote to memory of 2732 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-01-25_259f9b58e5f27071472b5909427585c5_cryptolocker.exe | C:\Users\Admin\AppData\Local\Temp\retln.exe |
| PID 1900 wrote to memory of 2732 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-01-25_259f9b58e5f27071472b5909427585c5_cryptolocker.exe | C:\Users\Admin\AppData\Local\Temp\retln.exe |
| PID 1900 wrote to memory of 2732 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-01-25_259f9b58e5f27071472b5909427585c5_cryptolocker.exe | C:\Users\Admin\AppData\Local\Temp\retln.exe |
| PID 1900 wrote to memory of 2732 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-01-25_259f9b58e5f27071472b5909427585c5_cryptolocker.exe | C:\Users\Admin\AppData\Local\Temp\retln.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-01-25_259f9b58e5f27071472b5909427585c5_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-25_259f9b58e5f27071472b5909427585c5_cryptolocker.exe"
C:\Users\Admin\AppData\Local\Temp\retln.exe
"C:\Users\Admin\AppData\Local\Temp\retln.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
Files
memory/1900-0-0x0000000000380000-0x0000000000386000-memory.dmp
memory/1900-1-0x0000000000400000-0x0000000000406000-memory.dmp
memory/1900-7-0x0000000000380000-0x0000000000386000-memory.dmp
\Users\Admin\AppData\Local\Temp\retln.exe
| MD5 | 1e03ae0437c4513a3b47918ab5776e0b |
| SHA1 | 0f1e86100d331039b61dc60d724a643b6897bc31 |
| SHA256 | 9d1c947c419f5526bde951216608ef898e02492696146f5e2e33dd7ab26df1a5 |
| SHA512 | 5c2856c89aec01e9e508e5a045eaf4f2cd3d335aa8c0aef530afdcca30d351b02fb15a4831321bf55ab853970f671ce607177a78e6143b5690a505a7da1cb511 |
memory/2732-17-0x0000000000310000-0x0000000000316000-memory.dmp