Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
12-02-2024 19:57
Static task
static1
Behavioral task
behavioral1
Sample
2024-02-12_4b68ecab026c808b7b5336afa90fd5dd_cryptolocker.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
2024-02-12_4b68ecab026c808b7b5336afa90fd5dd_cryptolocker.exe
Resource
win10v2004-20231215-en
General
-
Target
2024-02-12_4b68ecab026c808b7b5336afa90fd5dd_cryptolocker.exe
-
Size
40KB
-
MD5
4b68ecab026c808b7b5336afa90fd5dd
-
SHA1
d792149cb5acdb82ffaa9b98037f59034dcf8a8e
-
SHA256
6dca2b7a8043247095ac7d05b4d8ba65defba73ff9939f0f1a54685dbcdca96d
-
SHA512
4723b1212ea17f4110b5200b41f15862113561b94a2d01f5121badbfbd07e2f02bb65e6a3964998461cdd690247924e6bd811dd269e20ff5c431d514ad608fda
-
SSDEEP
768:b/yC4GyNM01GuQMNXw2PSjHPbSuYlW8PAA:b/pYayGig5HjS3NPAA
Malware Config
Signatures
-
Detection of CryptoLocker Variants 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\retln.exe CryptoLocker_rule2 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2024-02-12_4b68ecab026c808b7b5336afa90fd5dd_cryptolocker.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation 2024-02-12_4b68ecab026c808b7b5336afa90fd5dd_cryptolocker.exe -
Executes dropped EXE 1 IoCs
Processes:
retln.exepid process 2148 retln.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
2024-02-12_4b68ecab026c808b7b5336afa90fd5dd_cryptolocker.exedescription pid process target process PID 3228 wrote to memory of 2148 3228 2024-02-12_4b68ecab026c808b7b5336afa90fd5dd_cryptolocker.exe retln.exe PID 3228 wrote to memory of 2148 3228 2024-02-12_4b68ecab026c808b7b5336afa90fd5dd_cryptolocker.exe retln.exe PID 3228 wrote to memory of 2148 3228 2024-02-12_4b68ecab026c808b7b5336afa90fd5dd_cryptolocker.exe retln.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-02-12_4b68ecab026c808b7b5336afa90fd5dd_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-02-12_4b68ecab026c808b7b5336afa90fd5dd_cryptolocker.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3228 -
C:\Users\Admin\AppData\Local\Temp\retln.exe"C:\Users\Admin\AppData\Local\Temp\retln.exe"2⤵
- Executes dropped EXE
PID:2148
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
41KB
MD55b9869c1e89ac2966443163456f48e12
SHA142aa8649fcfa09a74722c8f725e404bae837cfe0
SHA256160bad443607b4035a6394ae141e49b0f241dd21e32da913bca2400ee3f83aa7
SHA512bbc158182cfd7892d8abd018498b050393b29987f4d147710877f0ca8796567d4004bf6c16f8a6e6360766b1675d61267013d2cc2896dff2796644a4c8ec9ee7