41feeca97c660844f8f15c05364d44e5c6b8cff65bb80a85edbf5bc93d2e1bfb

Analysis

max time kernel
150s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12-02-2024 11:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-12_e123d9e2119155590e5df1a1f21a52f0_cryptolocker.exe
Size

39KB
MD5

e123d9e2119155590e5df1a1f21a52f0
SHA1

7e313973f5cf86c5ddf0f8a2f2fec93f2db30cd6
SHA256

41feeca97c660844f8f15c05364d44e5c6b8cff65bb80a85edbf5bc93d2e1bfb
SHA512

bf130afe318ecff157c8b8cc2ccc3164694b5b541242dd49daad4a95c37fec6f40629187a0074013403b39c2b91067f2ef4aa06ba3f93d7c498776ee6b1abf0b
SSDEEP

384:bM7Q0pjC4GybxMv01d3AcASBQMf6i/zzzcYgUPSznHzl6AJvDSuYlWjp:b/yC4GyNM01GuQMNXw2PSjHPbSuYlW9

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral2/files/0x000c000000023160-12.dat	CryptoLocker_rule2

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	2024-02-12_e123d9e2119155590e5df1a1f21a52f0_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
3900	retln.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3600 wrote to memory of 3900	3600	2024-02-12_e123d9e2119155590e5df1a1f21a52f0_cryptolocker.exe	85
PID 3600 wrote to memory of 3900	3600	2024-02-12_e123d9e2119155590e5df1a1f21a52f0_cryptolocker.exe	85
PID 3600 wrote to memory of 3900	3600	2024-02-12_e123d9e2119155590e5df1a1f21a52f0_cryptolocker.exe	85

C:\Users\Admin\AppData\Local\Temp\2024-02-12_e123d9e2119155590e5df1a1f21a52f0_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-12_e123d9e2119155590e5df1a1f21a52f0_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3600
- C:\Users\Admin\AppData\Local\Temp\retln.exe
  "C:\Users\Admin\AppData\Local\Temp\retln.exe"
  2⤵
  - Executes dropped EXE
  PID:3900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\retln.exe

Filesize
39KB

MD5
1fe433dc769abcadc32dfce1dec9fa1e

SHA1
f2181ad5c2ad236b1c1c8a9f5f96a441959c7cd0

SHA256
04e8d869f0f9caad0d31a2431e30ef76cfc7ef65221c72c5f3aa0e2ec87f6b81

SHA512
4c5b1d287ea3ed905c3da12dfced1df8477c9ced2afca52b8f8c327921ad933842de6aeb83e2d01d0dd21a3d2657cb44fafec0e7b10f84b4002a038bdaa76bec

Download Submit
memory/3600-0-0x00000000022C0000-0x00000000022C6000-memory.dmp

Filesize
24KB

Download
memory/3600-1-0x00000000022C0000-0x00000000022C6000-memory.dmp

Filesize
24KB

Download
memory/3600-2-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/3900-22-0x0000000002120000-0x0000000002126000-memory.dmp

Filesize
24KB

Download