Malware Analysis Report

2025-08-05 09:28

Sample ID 240223-plfc1aff3s
Target 2024-02-23_039639897dfa9ce009814a85e3bea278_cryptolocker
SHA256 4bde26866a1ac68a478218301e9f70eabaebe88788906c1d8a528059eb1f3ca3
Tags
discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4bde26866a1ac68a478218301e9f70eabaebe88788906c1d8a528059eb1f3ca3

Threat Level: Known bad

The file 2024-02-23_039639897dfa9ce009814a85e3bea278_cryptolocker was found to be: Known bad.

Malicious Activity Summary

discovery

Detection of CryptoLocker Variants

Detection of CryptoLocker Variants

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Creates a large amount of network flows

Enumerates physical storage devices

Unsigned PE

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-23 12:24

Signatures

Detection of CryptoLocker Variants

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-23 12:24

Reported

2024-02-23 12:27

Platform

win7-20240221-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-02-23_039639897dfa9ce009814a85e3bea278_cryptolocker.exe"

Signatures

Detection of CryptoLocker Variants

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\retln.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_039639897dfa9ce009814a85e3bea278_cryptolocker.exe N/A

Creates a large amount of network flows

discovery

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\2024-02-23_039639897dfa9ce009814a85e3bea278_cryptolocker.exe

"C:\Users\Admin\AppData\Local\Temp\2024-02-23_039639897dfa9ce009814a85e3bea278_cryptolocker.exe"

C:\Users\Admin\AppData\Local\Temp\retln.exe

"C:\Users\Admin\AppData\Local\Temp\retln.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 storage-cabinets.info udp

Files

memory/2220-0-0x0000000000280000-0x0000000000286000-memory.dmp

memory/2220-1-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2220-8-0x0000000000280000-0x0000000000286000-memory.dmp

\Users\Admin\AppData\Local\Temp\retln.exe

MD5 d106438f54a7f8f56938bcaae89dcb5e
SHA1 f39add7714cdc6620e98c179b9527324253e776b
SHA256 88bd3679069fb49248f709f567c52ee00cf70eed32c295a52b2a709bc6aca660
SHA512 69da391154def502d24c41fc4617b20e29db8dc926e874f90d4355b3da6b2f9d24b996ee75bd8c1acefabf19a53f64ac6bf07da33c186869dee5677ea4afdc08

memory/3032-19-0x00000000003C0000-0x00000000003C6000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-23 12:24

Reported

2024-02-23 12:27

Platform

win10v2004-20240221-en

Max time kernel

150s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-02-23_039639897dfa9ce009814a85e3bea278_cryptolocker.exe"

Signatures

Detection of CryptoLocker Variants

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2024-02-23_039639897dfa9ce009814a85e3bea278_cryptolocker.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\retln.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\2024-02-23_039639897dfa9ce009814a85e3bea278_cryptolocker.exe

"C:\Users\Admin\AppData\Local\Temp\2024-02-23_039639897dfa9ce009814a85e3bea278_cryptolocker.exe"

C:\Users\Admin\AppData\Local\Temp\retln.exe

"C:\Users\Admin\AppData\Local\Temp\retln.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 84.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 177.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 storage-cabinets.info udp

Files

memory/5100-0-0x00000000022D0000-0x00000000022D6000-memory.dmp

memory/5100-1-0x00000000022D0000-0x00000000022D6000-memory.dmp

memory/5100-2-0x0000000000400000-0x0000000000406000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\retln.exe

MD5 d106438f54a7f8f56938bcaae89dcb5e
SHA1 f39add7714cdc6620e98c179b9527324253e776b
SHA256 88bd3679069fb49248f709f567c52ee00cf70eed32c295a52b2a709bc6aca660
SHA512 69da391154def502d24c41fc4617b20e29db8dc926e874f90d4355b3da6b2f9d24b996ee75bd8c1acefabf19a53f64ac6bf07da33c186869dee5677ea4afdc08

memory/2636-24-0x0000000002020000-0x0000000002026000-memory.dmp