Analysis Overview
SHA256
4cdbb19aaf03032eab2123e81d2e1b33c2992996bb8179dbb87fee0026418edf
Threat Level: Known bad
The file 2024-02-23_408d13b8d7884403cba28a20db0d0992_cryptolocker was found to be: Known bad.
Malicious Activity Summary
Detection of CryptoLocker Variants
Detection of CryptoLocker Variants
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Creates a large amount of network flows
Unsigned PE
Enumerates physical storage devices
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-23 10:38
Signatures
Detection of CryptoLocker Variants
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-23 10:38
Reported
2024-02-23 10:41
Platform
win10v2004-20240221-en
Max time kernel
150s
Max time network
146s
Command Line
Signatures
Detection of CryptoLocker Variants
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2024-02-23_408d13b8d7884403cba28a20db0d0992_cryptolocker.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\retln.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1336 wrote to memory of 3872 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-02-23_408d13b8d7884403cba28a20db0d0992_cryptolocker.exe | C:\Users\Admin\AppData\Local\Temp\retln.exe |
| PID 1336 wrote to memory of 3872 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-02-23_408d13b8d7884403cba28a20db0d0992_cryptolocker.exe | C:\Users\Admin\AppData\Local\Temp\retln.exe |
| PID 1336 wrote to memory of 3872 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-02-23_408d13b8d7884403cba28a20db0d0992_cryptolocker.exe | C:\Users\Admin\AppData\Local\Temp\retln.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-02-23_408d13b8d7884403cba28a20db0d0992_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-23_408d13b8d7884403cba28a20db0d0992_cryptolocker.exe"
C:\Users\Admin\AppData\Local\Temp\retln.exe
"C:\Users\Admin\AppData\Local\Temp\retln.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | 179.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
Files
memory/1336-0-0x0000000002EA0000-0x0000000002EA6000-memory.dmp
memory/1336-1-0x0000000002EA0000-0x0000000002EA6000-memory.dmp
memory/1336-2-0x0000000000400000-0x0000000000406000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\retln.exe
| MD5 | f5026939b3fb62b116119324eadd796e |
| SHA1 | d3c94e774db015f07228e3aec519f663460562c8 |
| SHA256 | f25b96d60b733d39cb181f68654786477d8bd1248a739d3045694e794260b778 |
| SHA512 | 829a165939e3ec62eb83963728c71fd66aec27dfa2846d679a54201aad99dc2ed7d335efc100546a7baea704e6b0d3b0f4deb3f7c35ee9c076dccd0a2ba41a27 |
memory/3872-25-0x00000000020E0000-0x00000000020E6000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-23 10:38
Reported
2024-02-23 10:41
Platform
win7-20240215-en
Max time kernel
17s
Max time network
120s
Command Line
Signatures
Detection of CryptoLocker Variants
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\retln.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-02-23_408d13b8d7884403cba28a20db0d0992_cryptolocker.exe | N/A |
Creates a large amount of network flows
Enumerates physical storage devices
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-02-23_408d13b8d7884403cba28a20db0d0992_cryptolocker.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\retln.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1540 wrote to memory of 3056 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-02-23_408d13b8d7884403cba28a20db0d0992_cryptolocker.exe | C:\Users\Admin\AppData\Local\Temp\retln.exe |
| PID 1540 wrote to memory of 3056 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-02-23_408d13b8d7884403cba28a20db0d0992_cryptolocker.exe | C:\Users\Admin\AppData\Local\Temp\retln.exe |
| PID 1540 wrote to memory of 3056 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-02-23_408d13b8d7884403cba28a20db0d0992_cryptolocker.exe | C:\Users\Admin\AppData\Local\Temp\retln.exe |
| PID 1540 wrote to memory of 3056 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-02-23_408d13b8d7884403cba28a20db0d0992_cryptolocker.exe | C:\Users\Admin\AppData\Local\Temp\retln.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-02-23_408d13b8d7884403cba28a20db0d0992_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-23_408d13b8d7884403cba28a20db0d0992_cryptolocker.exe"
C:\Users\Admin\AppData\Local\Temp\retln.exe
"C:\Users\Admin\AppData\Local\Temp\retln.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
Files
memory/1540-0-0x0000000000280000-0x0000000000286000-memory.dmp
memory/1540-1-0x0000000000400000-0x0000000000406000-memory.dmp
memory/1540-3-0x0000000000280000-0x0000000000286000-memory.dmp
\Users\Admin\AppData\Local\Temp\retln.exe
| MD5 | f5026939b3fb62b116119324eadd796e |
| SHA1 | d3c94e774db015f07228e3aec519f663460562c8 |
| SHA256 | f25b96d60b733d39cb181f68654786477d8bd1248a739d3045694e794260b778 |
| SHA512 | 829a165939e3ec62eb83963728c71fd66aec27dfa2846d679a54201aad99dc2ed7d335efc100546a7baea704e6b0d3b0f4deb3f7c35ee9c076dccd0a2ba41a27 |
memory/3056-23-0x0000000000290000-0x0000000000296000-memory.dmp