7d16d2e8b5dafb6df11780dfd337eb809429afdd284c97b09a19e1b933928885

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
12-02-2024 17:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-12_fd57f8d848b1d3b1a979e63872c71568_cryptolocker.exe
Size

34KB
MD5

fd57f8d848b1d3b1a979e63872c71568
SHA1

a8631905d00446deee247d6d22b772587b4ab4da
SHA256

7d16d2e8b5dafb6df11780dfd337eb809429afdd284c97b09a19e1b933928885
SHA512

81c6c132f2266fee2a0a0a7a3fda7e7b4861e07c40f4ccc3efdfd7d6a9f5d186bc771831f5d79bbe4e64e40d8044c90a96f6483d6088a3f45344dd0a8a17d1e1
SSDEEP

384:bM7Q0pjC4GybxMv01d3AcASBQMf6i/zzzcYgUPSzn1KkZP8j:b/yC4GyNM01GuQMNXw2PSj1Ph8j

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\retln.exe	CryptoLocker_rule2

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2024-02-12_fd57f8d848b1d3b1a979e63872c71568_cryptolocker.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	2024-02-12_fd57f8d848b1d3b1a979e63872c71568_cryptolocker.exe

Executes dropped EXE 1 IoCs

Processes:

retln.exe

pid process

4808 retln.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4808	retln.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

2024-02-12_fd57f8d848b1d3b1a979e63872c71568_cryptolocker.exe

description	pid	process	target process
PID 4848 wrote to memory of 4808	4848	2024-02-12_fd57f8d848b1d3b1a979e63872c71568_cryptolocker.exe	retln.exe
PID 4848 wrote to memory of 4808	4848	2024-02-12_fd57f8d848b1d3b1a979e63872c71568_cryptolocker.exe	retln.exe
PID 4848 wrote to memory of 4808	4848	2024-02-12_fd57f8d848b1d3b1a979e63872c71568_cryptolocker.exe	retln.exe

C:\Users\Admin\AppData\Local\Temp\2024-02-12_fd57f8d848b1d3b1a979e63872c71568_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-12_fd57f8d848b1d3b1a979e63872c71568_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4848

C:\Users\Admin\AppData\Local\Temp\retln.exe
"C:\Users\Admin\AppData\Local\Temp\retln.exe"
2⤵
- Executes dropped EXE
PID:4808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\retln.exe

Filesize
34KB

MD5
ffa63cdb352558a36118728722055f3b

SHA1
c9010149f4c8dfe67c97bab80a7c70a3cec722da

SHA256
64d80cc9b017d93d5b729ff96c210be1973beea96df6817e46ece9401da2a333

SHA512
63a833d6d7a078980bdb19f67a0b1dbc48dd1242833e52c375aa697148b389390271bf0be0de82c5ce8dfaf6f94581cddd83aedeade14090a5ee7c7e043ec5db

Download Submit
memory/4808-25-0x0000000002D60000-0x0000000002D66000-memory.dmp

Filesize
24KB

Download
memory/4848-0-0x0000000002350000-0x0000000002356000-memory.dmp

Filesize
24KB

Download
memory/4848-1-0x0000000002350000-0x0000000002356000-memory.dmp

Filesize
24KB

Download
memory/4848-2-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download