a8b54aa34bdf65342ee27bbaf5976b3d8a1a3dd6caf09970310e6902bcf31033

Analysis

max time kernel
22s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
29/02/2024, 06:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-29_57bbfb98acb1f1472e082aefcda3fbdb_cryptolocker.exe
Size

31KB
MD5

57bbfb98acb1f1472e082aefcda3fbdb
SHA1

be7c4672315d5aac2cd3b7d2688770871f502b63
SHA256

a8b54aa34bdf65342ee27bbaf5976b3d8a1a3dd6caf09970310e6902bcf31033
SHA512

a8fd761715c6f5235cb37c83aca52b357fd69fd425700fe04a12e50bc562d1a8e24e751ce191a576c699209bc0d2f6f6997239b653dafe98c85359652b1dcfc2
SSDEEP

384:bM7Q0pjC4GybxMv01d3AcASBQMf6i/zzzcYgUPSznUsso3:b/yC4GyNM01GuQMNXw2PSjWo3

Score

9^/10

discovery

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x000a000000012272-10.dat	CryptoLocker_rule2

Executes dropped EXE 1 IoCs

pid	Process
2520	retln.exe

Loads dropped DLL 1 IoCs

pid	Process
2196	2024-02-29_57bbfb98acb1f1472e082aefcda3fbdb_cryptolocker.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2196	2024-02-29_57bbfb98acb1f1472e082aefcda3fbdb_cryptolocker.exe
2520	retln.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 2520	2196	2024-02-29_57bbfb98acb1f1472e082aefcda3fbdb_cryptolocker.exe	28
PID 2196 wrote to memory of 2520	2196	2024-02-29_57bbfb98acb1f1472e082aefcda3fbdb_cryptolocker.exe	28
PID 2196 wrote to memory of 2520	2196	2024-02-29_57bbfb98acb1f1472e082aefcda3fbdb_cryptolocker.exe	28
PID 2196 wrote to memory of 2520	2196	2024-02-29_57bbfb98acb1f1472e082aefcda3fbdb_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-02-29_57bbfb98acb1f1472e082aefcda3fbdb_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-29_57bbfb98acb1f1472e082aefcda3fbdb_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Users\Admin\AppData\Local\Temp\retln.exe
  "C:\Users\Admin\AppData\Local\Temp\retln.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\retln.exe

Filesize
32KB

MD5
9cc0ff03adc193e51e71bd002d67f740

SHA1
bd1a387a3005038cc121117a66d612504b22093d

SHA256
820db4a6d8fbc5ccbe6479d6744bcb0b7b64f0cfe02d09b0bc05aef4904bab33

SHA512
63cf2ae29e5f557420990144e48a6c275eca95debb2f398b1250a164c34399a4fbf54db191e0bb7fe27fa676d75c3083632e8bb8a5391fb6652bd975cb1a872c

Download Submit
memory/2196-0-0x0000000000260000-0x0000000000266000-memory.dmp

Filesize
24KB

Download
memory/2196-1-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2196-2-0x0000000000260000-0x0000000000266000-memory.dmp

Filesize
24KB

Download