Analysis Overview
SHA256
4bde26866a1ac68a478218301e9f70eabaebe88788906c1d8a528059eb1f3ca3
Threat Level: Known bad
The file 2024-02-23_039639897dfa9ce009814a85e3bea278_cryptolocker was found to be: Known bad.
Malicious Activity Summary
Detection of CryptoLocker Variants
Detection of CryptoLocker Variants
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Creates a large amount of network flows
Enumerates physical storage devices
Unsigned PE
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-23 12:24
Signatures
Detection of CryptoLocker Variants
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-23 12:24
Reported
2024-02-23 12:27
Platform
win7-20240221-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Detection of CryptoLocker Variants
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\retln.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-02-23_039639897dfa9ce009814a85e3bea278_cryptolocker.exe | N/A |
Creates a large amount of network flows
Enumerates physical storage devices
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-02-23_039639897dfa9ce009814a85e3bea278_cryptolocker.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\retln.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2220 wrote to memory of 3032 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-02-23_039639897dfa9ce009814a85e3bea278_cryptolocker.exe | C:\Users\Admin\AppData\Local\Temp\retln.exe |
| PID 2220 wrote to memory of 3032 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-02-23_039639897dfa9ce009814a85e3bea278_cryptolocker.exe | C:\Users\Admin\AppData\Local\Temp\retln.exe |
| PID 2220 wrote to memory of 3032 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-02-23_039639897dfa9ce009814a85e3bea278_cryptolocker.exe | C:\Users\Admin\AppData\Local\Temp\retln.exe |
| PID 2220 wrote to memory of 3032 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-02-23_039639897dfa9ce009814a85e3bea278_cryptolocker.exe | C:\Users\Admin\AppData\Local\Temp\retln.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-02-23_039639897dfa9ce009814a85e3bea278_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-23_039639897dfa9ce009814a85e3bea278_cryptolocker.exe"
C:\Users\Admin\AppData\Local\Temp\retln.exe
"C:\Users\Admin\AppData\Local\Temp\retln.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
Files
memory/2220-0-0x0000000000280000-0x0000000000286000-memory.dmp
memory/2220-1-0x0000000000400000-0x0000000000406000-memory.dmp
memory/2220-8-0x0000000000280000-0x0000000000286000-memory.dmp
\Users\Admin\AppData\Local\Temp\retln.exe
| MD5 | d106438f54a7f8f56938bcaae89dcb5e |
| SHA1 | f39add7714cdc6620e98c179b9527324253e776b |
| SHA256 | 88bd3679069fb49248f709f567c52ee00cf70eed32c295a52b2a709bc6aca660 |
| SHA512 | 69da391154def502d24c41fc4617b20e29db8dc926e874f90d4355b3da6b2f9d24b996ee75bd8c1acefabf19a53f64ac6bf07da33c186869dee5677ea4afdc08 |
memory/3032-19-0x00000000003C0000-0x00000000003C6000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-23 12:24
Reported
2024-02-23 12:27
Platform
win10v2004-20240221-en
Max time kernel
150s
Max time network
147s
Command Line
Signatures
Detection of CryptoLocker Variants
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2024-02-23_039639897dfa9ce009814a85e3bea278_cryptolocker.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\retln.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5100 wrote to memory of 2636 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-02-23_039639897dfa9ce009814a85e3bea278_cryptolocker.exe | C:\Users\Admin\AppData\Local\Temp\retln.exe |
| PID 5100 wrote to memory of 2636 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-02-23_039639897dfa9ce009814a85e3bea278_cryptolocker.exe | C:\Users\Admin\AppData\Local\Temp\retln.exe |
| PID 5100 wrote to memory of 2636 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-02-23_039639897dfa9ce009814a85e3bea278_cryptolocker.exe | C:\Users\Admin\AppData\Local\Temp\retln.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-02-23_039639897dfa9ce009814a85e3bea278_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-23_039639897dfa9ce009814a85e3bea278_cryptolocker.exe"
C:\Users\Admin\AppData\Local\Temp\retln.exe
"C:\Users\Admin\AppData\Local\Temp\retln.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | 84.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | 177.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
Files
memory/5100-0-0x00000000022D0000-0x00000000022D6000-memory.dmp
memory/5100-1-0x00000000022D0000-0x00000000022D6000-memory.dmp
memory/5100-2-0x0000000000400000-0x0000000000406000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\retln.exe
| MD5 | d106438f54a7f8f56938bcaae89dcb5e |
| SHA1 | f39add7714cdc6620e98c179b9527324253e776b |
| SHA256 | 88bd3679069fb49248f709f567c52ee00cf70eed32c295a52b2a709bc6aca660 |
| SHA512 | 69da391154def502d24c41fc4617b20e29db8dc926e874f90d4355b3da6b2f9d24b996ee75bd8c1acefabf19a53f64ac6bf07da33c186869dee5677ea4afdc08 |
memory/2636-24-0x0000000002020000-0x0000000002026000-memory.dmp