228e913b3a21f68b1649e71d6e947b4596db6bd7d3dacdc224c0dfb087fe6892

Analysis

max time kernel
12s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23/02/2024, 12:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-23_a149418ee29df4dde05b41d2222699bc_cryptolocker.exe
Size

39KB
MD5

a149418ee29df4dde05b41d2222699bc
SHA1

5b6b4a2744336b64285beae1723710a429a2dcef
SHA256

228e913b3a21f68b1649e71d6e947b4596db6bd7d3dacdc224c0dfb087fe6892
SHA512

c2d2b675aaa05947c37d4128dcdea6019822143e04da3b79005bb56cdd900472c05ee99a06952226154c31f81529fa45e71072c585b34fc5da31ed7a76083b55
SSDEEP

384:bM7Q0pjC4GybxMv01d3AcASBQMf6i/zzzcYgUPSznHzl6AJvDSuYlxujsFw5:b/yC4GyNM01GuQMNXw2PSjHPbSuYlaJ5

Score

9^/10

discovery

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x000a000000012240-10.dat	CryptoLocker_rule2

Executes dropped EXE 1 IoCs

pid	Process
1920	retln.exe

Loads dropped DLL 1 IoCs

pid	Process
624	2024-02-23_a149418ee29df4dde05b41d2222699bc_cryptolocker.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
624	2024-02-23_a149418ee29df4dde05b41d2222699bc_cryptolocker.exe
1920	retln.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 624 wrote to memory of 1920	624	2024-02-23_a149418ee29df4dde05b41d2222699bc_cryptolocker.exe	28
PID 624 wrote to memory of 1920	624	2024-02-23_a149418ee29df4dde05b41d2222699bc_cryptolocker.exe	28
PID 624 wrote to memory of 1920	624	2024-02-23_a149418ee29df4dde05b41d2222699bc_cryptolocker.exe	28
PID 624 wrote to memory of 1920	624	2024-02-23_a149418ee29df4dde05b41d2222699bc_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-02-23_a149418ee29df4dde05b41d2222699bc_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-23_a149418ee29df4dde05b41d2222699bc_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:624
- C:\Users\Admin\AppData\Local\Temp\retln.exe
  "C:\Users\Admin\AppData\Local\Temp\retln.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:1920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\retln.exe

Filesize
39KB

MD5
66e265f539eda4c87789f8fb8f333ca0

SHA1
888e961d6bd7ac92fa832bb6ab5cf6cf07c7cc87

SHA256
8af8cecb7ae45ff3c473b87b19ec8e6da6c9195d8f2a4dc13fb294f2e8ecf294

SHA512
7aeb1b626180cb5d4efdcdd56149bb73f524e99295782e1dc8c7bc673b13457293751950966501894bff5c92bf69982af248e0b334cb3b75d591a8b97f14db43

Download Submit
memory/624-0-0x00000000003E0000-0x00000000003E6000-memory.dmp

Filesize
24KB

Download
memory/624-2-0x00000000003E0000-0x00000000003E6000-memory.dmp

Filesize
24KB

Download
memory/624-1-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1920-19-0x0000000000260000-0x0000000000266000-memory.dmp

Filesize
24KB

Download