8e6971d986a117eb2a02a7834f122c6427b2af2e179fb12e29097a9d5dc1e1ef

Analysis

max time kernel
2s
max time network
71s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22/02/2024, 05:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-22_553bf68385445e0a514c7513f3df48ae_cryptolocker.exe
Size

35KB
MD5

553bf68385445e0a514c7513f3df48ae
SHA1

6490cb994a6f52dc93770bf86ad026ba163a4dc8
SHA256

8e6971d986a117eb2a02a7834f122c6427b2af2e179fb12e29097a9d5dc1e1ef
SHA512

701734dd3119b4d57385bf6b693d6a8e262a03fd5c2d89693b51f7a1da4d1096f740908dfd4f12ca031506613e322df620a47198f13256a9aafe74f3904b05d4
SSDEEP

384:bM7Q0pjC4GybxMv01d3AcASBQMf6i/zzzcYgUPSzn1KkZ1aBg8D:b/yC4GyNM01GuQMNXw2PSj1PrHu

Score

9^/10

discovery

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x000a000000012255-12.dat	CryptoLocker_rule2

Executes dropped EXE 1 IoCs

pid	Process
2804	retln.exe

Loads dropped DLL 1 IoCs

pid	Process
332	2024-02-22_553bf68385445e0a514c7513f3df48ae_cryptolocker.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
332	2024-02-22_553bf68385445e0a514c7513f3df48ae_cryptolocker.exe
2804	retln.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 332 wrote to memory of 2804	332	2024-02-22_553bf68385445e0a514c7513f3df48ae_cryptolocker.exe	28
PID 332 wrote to memory of 2804	332	2024-02-22_553bf68385445e0a514c7513f3df48ae_cryptolocker.exe	28
PID 332 wrote to memory of 2804	332	2024-02-22_553bf68385445e0a514c7513f3df48ae_cryptolocker.exe	28
PID 332 wrote to memory of 2804	332	2024-02-22_553bf68385445e0a514c7513f3df48ae_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-02-22_553bf68385445e0a514c7513f3df48ae_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-22_553bf68385445e0a514c7513f3df48ae_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:332
- C:\Users\Admin\AppData\Local\Temp\retln.exe
  "C:\Users\Admin\AppData\Local\Temp\retln.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\retln.exe

Filesize
35KB

MD5
69246253f3debb082571f9e5b0253f64

SHA1
c7816d60f9717969004c2fb66a4130e208b1ebad

SHA256
9aa841991aabe2ae5e86f730543fd29e97ab4d9015a4826ff7bb3856477dbe0f

SHA512
f0e66cd832823c18529ecc9a95f87d46441aff42a365339cf5e76dfbe012f5400bf6f19815ed2554fb8feab7d4f61e12f1085fc73b8ea8d896f7d0111df3d535

Download Submit
memory/332-0-0x00000000004F0000-0x00000000004F6000-memory.dmp

Filesize
24KB

Download
memory/332-2-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/332-1-0x00000000004F0000-0x00000000004F6000-memory.dmp

Filesize
24KB

Download
memory/2804-18-0x0000000000310000-0x0000000000316000-memory.dmp

Filesize
24KB

Download