598bad8bd3ae6afda088d0350c8e154c6720c930f54b2178c2734da65637d19a

Analysis

max time kernel
116s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26-01-2024 07:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-26_b05f5d1083e5ae0b3bc7ec3b358f2e02_cryptolocker.exe
Size

33KB
MD5

b05f5d1083e5ae0b3bc7ec3b358f2e02
SHA1

3abf0e31f4e2864c0cf82a7600e1406e11babd9f
SHA256

598bad8bd3ae6afda088d0350c8e154c6720c930f54b2178c2734da65637d19a
SHA512

92a766ca264339b9860429685012e3b519cc2d7781fdcfd054552c9018d0afafff431b276c9c2ad73e27827d111a1f4519e85c6e238e5349e2c24572397418f1
SSDEEP

384:bM7Q0pjC4GybxMv01d3AcASBQMf6i/zzzcYgUPSznHzl6A0ar:b/yC4GyNM01GuQMNXw2PSjH+ar

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral2/files/0x000c00000002315b-12.dat	CryptoLocker_rule2

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	2024-01-26_b05f5d1083e5ae0b3bc7ec3b358f2e02_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
4624	retln.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1176 wrote to memory of 4624	1176	2024-01-26_b05f5d1083e5ae0b3bc7ec3b358f2e02_cryptolocker.exe	88
PID 1176 wrote to memory of 4624	1176	2024-01-26_b05f5d1083e5ae0b3bc7ec3b358f2e02_cryptolocker.exe	88
PID 1176 wrote to memory of 4624	1176	2024-01-26_b05f5d1083e5ae0b3bc7ec3b358f2e02_cryptolocker.exe	88

C:\Users\Admin\AppData\Local\Temp\2024-01-26_b05f5d1083e5ae0b3bc7ec3b358f2e02_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-26_b05f5d1083e5ae0b3bc7ec3b358f2e02_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1176
- C:\Users\Admin\AppData\Local\Temp\retln.exe
  "C:\Users\Admin\AppData\Local\Temp\retln.exe"
  2⤵
  - Executes dropped EXE
  PID:4624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\retln.exe

Filesize
33KB

MD5
04ce3dab8037762a26c77213e64953d0

SHA1
9bbffb9f1281434bc5daa3766b9cadf16af2fae1

SHA256
1c81ac4cc9112fd2436c3214085800eb6b9a87be859527ecd9166e0fa4684dfb

SHA512
86b0fc3b6b043e07255c7d095b1cd391560847c2904bec2b89720fcda9105246b51faad47fd00a773d36c0cc8e8ed074a2f1a7ea3a6efbd3aad6c986edbe0f0d

Download Submit
memory/1176-0-0x0000000002240000-0x0000000002246000-memory.dmp

Filesize
24KB

Download
memory/1176-2-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1176-1-0x0000000002240000-0x0000000002246000-memory.dmp

Filesize
24KB

Download
memory/4624-25-0x0000000002090000-0x0000000002096000-memory.dmp

Filesize
24KB

Download