bac29e0cc20672b8fe80b3f1282037f93fb0a48fa068bc79c1031ddae6dfb9b1

Analysis

max time kernel
3s
max time network
71s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
04-02-2024 03:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-04_37eaf28e8d0f5397914213b88f831bf3_cryptolocker.exe
Size

40KB
MD5

37eaf28e8d0f5397914213b88f831bf3
SHA1

0ff1d68884d8dc21b49786a28eee53821ebf2d11
SHA256

bac29e0cc20672b8fe80b3f1282037f93fb0a48fa068bc79c1031ddae6dfb9b1
SHA512

7a9d1ac39487aa48b12e77c4226a76acfa109d20cdc27ddaa6fd9a6cf243de590cfebc4981a96759211b27ca8b7cbbd51d1355784e8bb9156e5f9fd47ea4d69b
SSDEEP

768:b/yC4GyNM01GuQMNXw2PSjHPbSuYlW8PAah:b/pYayGig5HjS3NPAq

Score

9^/10

discovery

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x000d00000001224c-10.dat	CryptoLocker_rule2

Executes dropped EXE 1 IoCs

pid	Process
2516	retln.exe

Loads dropped DLL 1 IoCs

pid	Process
2212	2024-02-04_37eaf28e8d0f5397914213b88f831bf3_cryptolocker.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2212	2024-02-04_37eaf28e8d0f5397914213b88f831bf3_cryptolocker.exe
2516	retln.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 2516	2212	2024-02-04_37eaf28e8d0f5397914213b88f831bf3_cryptolocker.exe	28
PID 2212 wrote to memory of 2516	2212	2024-02-04_37eaf28e8d0f5397914213b88f831bf3_cryptolocker.exe	28
PID 2212 wrote to memory of 2516	2212	2024-02-04_37eaf28e8d0f5397914213b88f831bf3_cryptolocker.exe	28
PID 2212 wrote to memory of 2516	2212	2024-02-04_37eaf28e8d0f5397914213b88f831bf3_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-02-04_37eaf28e8d0f5397914213b88f831bf3_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-04_37eaf28e8d0f5397914213b88f831bf3_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Users\Admin\AppData\Local\Temp\retln.exe
  "C:\Users\Admin\AppData\Local\Temp\retln.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\retln.exe

Filesize
41KB

MD5
e9fa1a0e8bec07ad0d421ba46063fb45

SHA1
3284318582bcd578ffaca594af0f73921e50343f

SHA256
9b3cffac396fa99456574d56dd31cf8895310c2d80a880630f7173b077003cff

SHA512
1252adec8c1593ed7604d30b33697b0058a6c5bdd1ea4a8f1f0672863640c49990f7ecfdb0f5a0aa9f4381ddc64b3ddc505669d8757771193c3f9081268e2293

Download Submit
memory/2212-0-0x00000000005C0000-0x00000000005C6000-memory.dmp

Filesize
24KB

Download
memory/2212-1-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2212-8-0x00000000005C0000-0x00000000005C6000-memory.dmp

Filesize
24KB

Download
memory/2516-18-0x00000000002C0000-0x00000000002C6000-memory.dmp

Filesize
24KB

Download