65d27d0b48fd232adc30a7d6256b91460bc2cb41a6e3e15995a44524915369c7

Analysis

max time kernel
18s
max time network
120s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
12-02-2024 17:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-12_f7833b4b99ecec4f3d2c28b81f84da8a_cryptolocker.exe
Size

39KB
MD5

f7833b4b99ecec4f3d2c28b81f84da8a
SHA1

1aa8b83c91d010433bb153b5badd6b91994b66c8
SHA256

65d27d0b48fd232adc30a7d6256b91460bc2cb41a6e3e15995a44524915369c7
SHA512

6faef108bec257efc12074a944c4d3e286967d1d8be5b2ebe69bf49adabed45dc821142628bdc4a966ad817663af746de59f698d7b12886abae7363568340c6b
SSDEEP

384:bM7Q0pjC4GybxMv01d3AcASBQMf6i/zzzcYgUPSznHzl6AJvDSuYlWjb:b/yC4GyNM01GuQMNXw2PSjHPbSuYlWv

Score

9^/10

discovery

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x000a00000001225a-10.dat	CryptoLocker_rule2

Executes dropped EXE 1 IoCs

pid	Process
2980	retln.exe

Loads dropped DLL 1 IoCs

pid	Process
2032	2024-02-12_f7833b4b99ecec4f3d2c28b81f84da8a_cryptolocker.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2032	2024-02-12_f7833b4b99ecec4f3d2c28b81f84da8a_cryptolocker.exe
2980	retln.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 2980	2032	2024-02-12_f7833b4b99ecec4f3d2c28b81f84da8a_cryptolocker.exe	28
PID 2032 wrote to memory of 2980	2032	2024-02-12_f7833b4b99ecec4f3d2c28b81f84da8a_cryptolocker.exe	28
PID 2032 wrote to memory of 2980	2032	2024-02-12_f7833b4b99ecec4f3d2c28b81f84da8a_cryptolocker.exe	28
PID 2032 wrote to memory of 2980	2032	2024-02-12_f7833b4b99ecec4f3d2c28b81f84da8a_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-02-12_f7833b4b99ecec4f3d2c28b81f84da8a_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-12_f7833b4b99ecec4f3d2c28b81f84da8a_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Users\Admin\AppData\Local\Temp\retln.exe
  "C:\Users\Admin\AppData\Local\Temp\retln.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\retln.exe

Filesize
39KB

MD5
acec52d952f5525ba7ed8fbd7c7b5e68

SHA1
7c760e4c1777f0d229cbeede6ba6e32e88f256bd

SHA256
2d5208356d089a1c43d391ee0ccd7909adcc092ae03288b5b737126ea6592d43

SHA512
6b149f26b583be2df254c0128b12d0ad76b397ae3dc79f400b993ee19a44a856b08a68587f9720d8b47d66a9f79e2e93e566550d7a0a22569b822f72ab734b2b

Download Submit
memory/2032-0-0x0000000000370000-0x0000000000376000-memory.dmp

Filesize
24KB

Download
memory/2032-1-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2032-2-0x0000000000370000-0x0000000000376000-memory.dmp

Filesize
24KB

Download
memory/2980-21-0x00000000001F0000-0x00000000001F6000-memory.dmp

Filesize
24KB

Download