Analysis
-
max time kernel
18s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
23/02/2024, 10:53
Static task
static1
Behavioral task
behavioral1
Sample
2024-02-23_8a5ca1f1ea6229115d0a471c96a80dc7_cryptolocker.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-02-23_8a5ca1f1ea6229115d0a471c96a80dc7_cryptolocker.exe
Resource
win10v2004-20240221-en
General
-
Target
2024-02-23_8a5ca1f1ea6229115d0a471c96a80dc7_cryptolocker.exe
-
Size
34KB
-
MD5
8a5ca1f1ea6229115d0a471c96a80dc7
-
SHA1
9a5616d701c62211d8aec84af080eaba615a0913
-
SHA256
829baaf34b074e7efe50d68a19a022d3085e2c8b74bff6742785145dfd4b6c2c
-
SHA512
ef6a7b64be5a4b4e84f7d892474d236e6ea154177b6cb5f3cfd1750cffba52f346c58a1c647537620aae068088f946c25ea7a5d30fabca4383e1201c2e10f1d0
-
SSDEEP
384:bM7Q0pjC4GybxMv01d3AcASBQMf6i/zzzcYgUPSznHzl6A0X/EIJ3M:b/yC4GyNM01GuQMNXw2PSjH+P1c
Malware Config
Signatures
-
Detection of CryptoLocker Variants 1 IoCs
resource yara_rule behavioral1/files/0x000d000000012260-10.dat CryptoLocker_rule2 -
Executes dropped EXE 1 IoCs
pid Process 2280 retln.exe -
Loads dropped DLL 1 IoCs
pid Process 1860 2024-02-23_8a5ca1f1ea6229115d0a471c96a80dc7_cryptolocker.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1860 2024-02-23_8a5ca1f1ea6229115d0a471c96a80dc7_cryptolocker.exe 2280 retln.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1860 wrote to memory of 2280 1860 2024-02-23_8a5ca1f1ea6229115d0a471c96a80dc7_cryptolocker.exe 28 PID 1860 wrote to memory of 2280 1860 2024-02-23_8a5ca1f1ea6229115d0a471c96a80dc7_cryptolocker.exe 28 PID 1860 wrote to memory of 2280 1860 2024-02-23_8a5ca1f1ea6229115d0a471c96a80dc7_cryptolocker.exe 28 PID 1860 wrote to memory of 2280 1860 2024-02-23_8a5ca1f1ea6229115d0a471c96a80dc7_cryptolocker.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-02-23_8a5ca1f1ea6229115d0a471c96a80dc7_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-02-23_8a5ca1f1ea6229115d0a471c96a80dc7_cryptolocker.exe"1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Users\Admin\AppData\Local\Temp\retln.exe"C:\Users\Admin\AppData\Local\Temp\retln.exe"2⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:2280
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
34KB
MD583ecf5187dcb5a86da7a441b56e3b74a
SHA1d213e561c064ed3f343d9ee42934c355d485124a
SHA25616df08ec826bd1b514ef0f129cdda4eaf78c28ef798f294804981e6d3f78ef4f
SHA512b151732e9ea488c3d43a4f1cddfe01cbdfb0351f2f5d3b9ff09ab1e08268474d936c1c7f5df6e9653404e1d87826db42745c7fa2cf1207067bde956fb38a16b5