Analysis
-
max time kernel
15s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
12-02-2024 17:50
Static task
static1
Behavioral task
behavioral1
Sample
2024-02-12_ce5b42eca3a51b7e490b1e8e0621974a_cryptolocker.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
2024-02-12_ce5b42eca3a51b7e490b1e8e0621974a_cryptolocker.exe
Resource
win10v2004-20231215-en
General
-
Target
2024-02-12_ce5b42eca3a51b7e490b1e8e0621974a_cryptolocker.exe
-
Size
40KB
-
MD5
ce5b42eca3a51b7e490b1e8e0621974a
-
SHA1
8b248c99c68619fecd4693a24886f30a38187c99
-
SHA256
dc84f008b21ae702b988ac233f96892264bf7845fdf3fc5c2fd9dc117d4903a4
-
SHA512
e1c3f8bc7b9d6d2321c5dc243948cdb1776cb3e1bb66a9f3d1d981cc7bded87d37697f0ced48662f8d0e3a4a4944db693f5c831ccb9c788809b093ee8c1b53fa
-
SSDEEP
768:b/yC4GyNM01GuQMNXw2PSjHPbSuYlW8PAO:b/pYayGig5HjS3NPAO
Malware Config
Signatures
-
Detection of CryptoLocker Variants 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\retln.exe CryptoLocker_rule2 -
Executes dropped EXE 1 IoCs
Processes:
retln.exepid process 1944 retln.exe -
Loads dropped DLL 1 IoCs
Processes:
2024-02-12_ce5b42eca3a51b7e490b1e8e0621974a_cryptolocker.exepid process 2200 2024-02-12_ce5b42eca3a51b7e490b1e8e0621974a_cryptolocker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of UnmapMainImage 2 IoCs
Processes:
2024-02-12_ce5b42eca3a51b7e490b1e8e0621974a_cryptolocker.exeretln.exepid process 2200 2024-02-12_ce5b42eca3a51b7e490b1e8e0621974a_cryptolocker.exe 1944 retln.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
2024-02-12_ce5b42eca3a51b7e490b1e8e0621974a_cryptolocker.exedescription pid process target process PID 2200 wrote to memory of 1944 2200 2024-02-12_ce5b42eca3a51b7e490b1e8e0621974a_cryptolocker.exe retln.exe PID 2200 wrote to memory of 1944 2200 2024-02-12_ce5b42eca3a51b7e490b1e8e0621974a_cryptolocker.exe retln.exe PID 2200 wrote to memory of 1944 2200 2024-02-12_ce5b42eca3a51b7e490b1e8e0621974a_cryptolocker.exe retln.exe PID 2200 wrote to memory of 1944 2200 2024-02-12_ce5b42eca3a51b7e490b1e8e0621974a_cryptolocker.exe retln.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-02-12_ce5b42eca3a51b7e490b1e8e0621974a_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-02-12_ce5b42eca3a51b7e490b1e8e0621974a_cryptolocker.exe"1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Users\Admin\AppData\Local\Temp\retln.exe"C:\Users\Admin\AppData\Local\Temp\retln.exe"2⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:1944
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
40KB
MD5c1500c1a01e8f0566bc372ffd509b9e3
SHA10827468dfa4e7b7330680af33494440d9f2ea027
SHA2562e5bf3625fa9ab0f56e807c269a2b077688fca3ce8d1a69c4ac84e2001ac2d32
SHA512bf48da3f9a93d003c7d5b1300de953cc903486d235c2759419beba91ec579f564ba43c844265cbe653444ed9d3f431c4793588d3e8a92120a4448a657e213df7