7a41f514a1fbaa037d7dfb10d7af8060ff4e037c9520bd9454ddba9fd7dcf628

Analysis

max time kernel
4s
max time network
81s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
04/02/2024, 08:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-02-04_8bb4a354df7fe5350813444d7bf10fd4_cryptolocker.exe
Size

36KB
MD5

8bb4a354df7fe5350813444d7bf10fd4
SHA1

327807676d2ac21af3bf723aea4d2f16c114328a
SHA256

7a41f514a1fbaa037d7dfb10d7af8060ff4e037c9520bd9454ddba9fd7dcf628
SHA512

6dde7187345f628eda93ae6213b79eb1efff2f0c395c068d1786b56de44c3a91fc2b1a56f818c637683d5b484b9d498f3bb962517233d1834ad43bc240409f45
SSDEEP

384:bM7Q0pjC4GybxMv01d3AcASBQMf6i/zzzcYgUPSznHzl6AJvDSuV5Nb:b/yC4GyNM01GuQMNXw2PSjHPbSuhb

Score

9^/10

discovery

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x000d0000000122a8-10.dat	CryptoLocker_rule2

Executes dropped EXE 1 IoCs

pid	Process
1712	retln.exe

Loads dropped DLL 1 IoCs

pid	Process
2264	2024-02-04_8bb4a354df7fe5350813444d7bf10fd4_cryptolocker.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2264	2024-02-04_8bb4a354df7fe5350813444d7bf10fd4_cryptolocker.exe
1712	retln.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2264 wrote to memory of 1712	2264	2024-02-04_8bb4a354df7fe5350813444d7bf10fd4_cryptolocker.exe	28
PID 2264 wrote to memory of 1712	2264	2024-02-04_8bb4a354df7fe5350813444d7bf10fd4_cryptolocker.exe	28
PID 2264 wrote to memory of 1712	2264	2024-02-04_8bb4a354df7fe5350813444d7bf10fd4_cryptolocker.exe	28
PID 2264 wrote to memory of 1712	2264	2024-02-04_8bb4a354df7fe5350813444d7bf10fd4_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-02-04_8bb4a354df7fe5350813444d7bf10fd4_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-04_8bb4a354df7fe5350813444d7bf10fd4_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2264
- C:\Users\Admin\AppData\Local\Temp\retln.exe
  "C:\Users\Admin\AppData\Local\Temp\retln.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:1712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\retln.exe

Filesize
36KB

MD5
3cac5a48844bb1641d64ec78cf278442

SHA1
8f2bdd9320a55154e587f5fb1c490ba34c291edc

SHA256
ad0d7e5a59683ad5f1bb2e7802290a72d45a20ab8f5fe28203e7cb3163b2103b

SHA512
13dd92a76a3ecfc38c899e584c0450b786c84abb9feaed687282fb55b284548d3c0ea55aeb6577296e2a84624b76e50ef46408f8e3ced9c8806343c58ad74039

Download Submit
memory/1712-19-0x0000000000210000-0x0000000000216000-memory.dmp

Filesize
24KB

Download
memory/2264-0-0x0000000000310000-0x0000000000316000-memory.dmp

Filesize
24KB

Download
memory/2264-1-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2264-4-0x0000000000310000-0x0000000000316000-memory.dmp

Filesize
24KB

Download