Malware Analysis Report

2025-08-06 00:04

Sample ID 240223-mpn37seg9y
Target 2024-02-23_408d13b8d7884403cba28a20db0d0992_cryptolocker
SHA256 4cdbb19aaf03032eab2123e81d2e1b33c2992996bb8179dbb87fee0026418edf
Tags
discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4cdbb19aaf03032eab2123e81d2e1b33c2992996bb8179dbb87fee0026418edf

Threat Level: Known bad

The file 2024-02-23_408d13b8d7884403cba28a20db0d0992_cryptolocker was found to be: Known bad.

Malicious Activity Summary

discovery

Detection of CryptoLocker Variants

Detection of CryptoLocker Variants

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Creates a large amount of network flows

Unsigned PE

Enumerates physical storage devices

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-23 10:38

Signatures

Detection of CryptoLocker Variants

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-23 10:38

Reported

2024-02-23 10:41

Platform

win10v2004-20240221-en

Max time kernel

150s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-02-23_408d13b8d7884403cba28a20db0d0992_cryptolocker.exe"

Signatures

Detection of CryptoLocker Variants

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2024-02-23_408d13b8d7884403cba28a20db0d0992_cryptolocker.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\retln.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\2024-02-23_408d13b8d7884403cba28a20db0d0992_cryptolocker.exe

"C:\Users\Admin\AppData\Local\Temp\2024-02-23_408d13b8d7884403cba28a20db0d0992_cryptolocker.exe"

C:\Users\Admin\AppData\Local\Temp\retln.exe

"C:\Users\Admin\AppData\Local\Temp\retln.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 179.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 storage-cabinets.info udp

Files

memory/1336-0-0x0000000002EA0000-0x0000000002EA6000-memory.dmp

memory/1336-1-0x0000000002EA0000-0x0000000002EA6000-memory.dmp

memory/1336-2-0x0000000000400000-0x0000000000406000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\retln.exe

MD5 f5026939b3fb62b116119324eadd796e
SHA1 d3c94e774db015f07228e3aec519f663460562c8
SHA256 f25b96d60b733d39cb181f68654786477d8bd1248a739d3045694e794260b778
SHA512 829a165939e3ec62eb83963728c71fd66aec27dfa2846d679a54201aad99dc2ed7d335efc100546a7baea704e6b0d3b0f4deb3f7c35ee9c076dccd0a2ba41a27

memory/3872-25-0x00000000020E0000-0x00000000020E6000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-23 10:38

Reported

2024-02-23 10:41

Platform

win7-20240215-en

Max time kernel

17s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-02-23_408d13b8d7884403cba28a20db0d0992_cryptolocker.exe"

Signatures

Detection of CryptoLocker Variants

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\retln.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_408d13b8d7884403cba28a20db0d0992_cryptolocker.exe N/A

Creates a large amount of network flows

discovery

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\2024-02-23_408d13b8d7884403cba28a20db0d0992_cryptolocker.exe

"C:\Users\Admin\AppData\Local\Temp\2024-02-23_408d13b8d7884403cba28a20db0d0992_cryptolocker.exe"

C:\Users\Admin\AppData\Local\Temp\retln.exe

"C:\Users\Admin\AppData\Local\Temp\retln.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 storage-cabinets.info udp

Files

memory/1540-0-0x0000000000280000-0x0000000000286000-memory.dmp

memory/1540-1-0x0000000000400000-0x0000000000406000-memory.dmp

memory/1540-3-0x0000000000280000-0x0000000000286000-memory.dmp

\Users\Admin\AppData\Local\Temp\retln.exe

MD5 f5026939b3fb62b116119324eadd796e
SHA1 d3c94e774db015f07228e3aec519f663460562c8
SHA256 f25b96d60b733d39cb181f68654786477d8bd1248a739d3045694e794260b778
SHA512 829a165939e3ec62eb83963728c71fd66aec27dfa2846d679a54201aad99dc2ed7d335efc100546a7baea704e6b0d3b0f4deb3f7c35ee9c076dccd0a2ba41a27

memory/3056-23-0x0000000000290000-0x0000000000296000-memory.dmp