51f6185e2f3cbb5317fb8191e87ba68be9d1a9996b2a2fc491f7a62183b830d5

Analysis

max time kernel
12s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
12/03/2024, 17:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-03-12_c780b55cb576d47c4df81bed5fd1cae5_cryptolocker.exe
Size

35KB
MD5

c780b55cb576d47c4df81bed5fd1cae5
SHA1

b2d5fd25e2595e0096d60e8f59c7ff1439e98ca8
SHA256

51f6185e2f3cbb5317fb8191e87ba68be9d1a9996b2a2fc491f7a62183b830d5
SHA512

aaede9d2c4b2804734a167d09b8f861c5e7ee3fd1781978092f79c8fb70d9ab95461350651f91689ed414bad356fcc223893222fc449234472adbf9a7ea9ee94
SSDEEP

384:bM7Q0pjC4GybxMv01d3AcASBQMf6i/zzzcYgUPSznHzl6A0X/EIJ3E9:b/yC4GyNM01GuQMNXw2PSjH+P1K

Score

9^/10

discovery

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x000a000000012255-10.dat	CryptoLocker_rule2

Executes dropped EXE 1 IoCs

pid	Process
3064	retln.exe

Loads dropped DLL 1 IoCs

pid	Process
2388	2024-03-12_c780b55cb576d47c4df81bed5fd1cae5_cryptolocker.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2388	2024-03-12_c780b55cb576d47c4df81bed5fd1cae5_cryptolocker.exe
3064	retln.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2388 wrote to memory of 3064	2388	2024-03-12_c780b55cb576d47c4df81bed5fd1cae5_cryptolocker.exe	28
PID 2388 wrote to memory of 3064	2388	2024-03-12_c780b55cb576d47c4df81bed5fd1cae5_cryptolocker.exe	28
PID 2388 wrote to memory of 3064	2388	2024-03-12_c780b55cb576d47c4df81bed5fd1cae5_cryptolocker.exe	28
PID 2388 wrote to memory of 3064	2388	2024-03-12_c780b55cb576d47c4df81bed5fd1cae5_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-03-12_c780b55cb576d47c4df81bed5fd1cae5_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-12_c780b55cb576d47c4df81bed5fd1cae5_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2388
- C:\Users\Admin\AppData\Local\Temp\retln.exe
  "C:\Users\Admin\AppData\Local\Temp\retln.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:3064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\retln.exe

Filesize
35KB

MD5
6dd07e3e750f6075629e4bf4af2cd1dc

SHA1
2dfc72a221eeacb227de9d628215dcf042c4b252

SHA256
2cdd8c0696eb65842c2f6fd0811261886623b6dfbac2bfc43d32ee6087dc6dcb

SHA512
b9731d59a98de0d9d5f3af98b63815206fee08a78535f9bc64aa741d4639e5a627c07fd6947c333a204f2dfe96c76efbb255791bc4fcfa8f4b98b88b62a1dea1

Download Submit
memory/2388-0-0x0000000000280000-0x0000000000286000-memory.dmp

Filesize
24KB

Download
memory/2388-1-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2388-2-0x0000000000280000-0x0000000000286000-memory.dmp

Filesize
24KB

Download
memory/3064-16-0x0000000001CE0000-0x0000000001CE6000-memory.dmp

Filesize
24KB

Download