Analysis
-
max time kernel
11s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
12-02-2024 17:58
Static task
static1
Behavioral task
behavioral1
Sample
2024-02-12_fd57f8d848b1d3b1a979e63872c71568_cryptolocker.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
2024-02-12_fd57f8d848b1d3b1a979e63872c71568_cryptolocker.exe
Resource
win10v2004-20231222-en
General
-
Target
2024-02-12_fd57f8d848b1d3b1a979e63872c71568_cryptolocker.exe
-
Size
34KB
-
MD5
fd57f8d848b1d3b1a979e63872c71568
-
SHA1
a8631905d00446deee247d6d22b772587b4ab4da
-
SHA256
7d16d2e8b5dafb6df11780dfd337eb809429afdd284c97b09a19e1b933928885
-
SHA512
81c6c132f2266fee2a0a0a7a3fda7e7b4861e07c40f4ccc3efdfd7d6a9f5d186bc771831f5d79bbe4e64e40d8044c90a96f6483d6088a3f45344dd0a8a17d1e1
-
SSDEEP
384:bM7Q0pjC4GybxMv01d3AcASBQMf6i/zzzcYgUPSzn1KkZP8j:b/yC4GyNM01GuQMNXw2PSj1Ph8j
Malware Config
Signatures
-
Detection of CryptoLocker Variants 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\retln.exe CryptoLocker_rule2 -
Executes dropped EXE 1 IoCs
Processes:
retln.exepid process 2088 retln.exe -
Loads dropped DLL 1 IoCs
Processes:
2024-02-12_fd57f8d848b1d3b1a979e63872c71568_cryptolocker.exepid process 2372 2024-02-12_fd57f8d848b1d3b1a979e63872c71568_cryptolocker.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of UnmapMainImage 2 IoCs
Processes:
2024-02-12_fd57f8d848b1d3b1a979e63872c71568_cryptolocker.exeretln.exepid process 2372 2024-02-12_fd57f8d848b1d3b1a979e63872c71568_cryptolocker.exe 2088 retln.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
2024-02-12_fd57f8d848b1d3b1a979e63872c71568_cryptolocker.exedescription pid process target process PID 2372 wrote to memory of 2088 2372 2024-02-12_fd57f8d848b1d3b1a979e63872c71568_cryptolocker.exe retln.exe PID 2372 wrote to memory of 2088 2372 2024-02-12_fd57f8d848b1d3b1a979e63872c71568_cryptolocker.exe retln.exe PID 2372 wrote to memory of 2088 2372 2024-02-12_fd57f8d848b1d3b1a979e63872c71568_cryptolocker.exe retln.exe PID 2372 wrote to memory of 2088 2372 2024-02-12_fd57f8d848b1d3b1a979e63872c71568_cryptolocker.exe retln.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-02-12_fd57f8d848b1d3b1a979e63872c71568_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-02-12_fd57f8d848b1d3b1a979e63872c71568_cryptolocker.exe"1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Users\Admin\AppData\Local\Temp\retln.exe"C:\Users\Admin\AppData\Local\Temp\retln.exe"2⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:2088
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
34KB
MD5ffa63cdb352558a36118728722055f3b
SHA1c9010149f4c8dfe67c97bab80a7c70a3cec722da
SHA25664d80cc9b017d93d5b729ff96c210be1973beea96df6817e46ece9401da2a333
SHA51263a833d6d7a078980bdb19f67a0b1dbc48dd1242833e52c375aa697148b389390271bf0be0de82c5ce8dfaf6f94581cddd83aedeade14090a5ee7c7e043ec5db