d9826cfc07cc47c7af083fbb03a1706019f90bc0fb535076805476186fe722f0

Analysis

max time kernel
3s
max time network
71s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
28/03/2024, 17:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-03-28_a0e7c2fdc42fbda497b3ab58d0be47cf_cryptolocker.exe
Size

37KB
MD5

a0e7c2fdc42fbda497b3ab58d0be47cf
SHA1

7d9274ec43e324f686408a1589c82e17acff3ee1
SHA256

d9826cfc07cc47c7af083fbb03a1706019f90bc0fb535076805476186fe722f0
SHA512

11bad9cdb56d9757b02ee6993246102647758bd322c0870a2c64437d124be856afc30f50462beb60cbf99bceaf5261664ea4098582c3aefd4923e1aad0c76c44
SSDEEP

384:bM7Q0pjC4GybxMv01d3AcASBQMf6i/zzzcYgUPSzn1KkZCb9q8IuxNXTTZ:b/yC4GyNM01GuQMNXw2PSj1Pqq8tjTZ

Score

9^/10

discovery

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x00090000000142c4-10.dat	CryptoLocker_rule2

Executes dropped EXE 1 IoCs

pid	Process
2840	retln.exe

Loads dropped DLL 1 IoCs

pid	Process
2344	2024-03-28_a0e7c2fdc42fbda497b3ab58d0be47cf_cryptolocker.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2344	2024-03-28_a0e7c2fdc42fbda497b3ab58d0be47cf_cryptolocker.exe
2840	retln.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2344 wrote to memory of 2840	2344	2024-03-28_a0e7c2fdc42fbda497b3ab58d0be47cf_cryptolocker.exe	28
PID 2344 wrote to memory of 2840	2344	2024-03-28_a0e7c2fdc42fbda497b3ab58d0be47cf_cryptolocker.exe	28
PID 2344 wrote to memory of 2840	2344	2024-03-28_a0e7c2fdc42fbda497b3ab58d0be47cf_cryptolocker.exe	28
PID 2344 wrote to memory of 2840	2344	2024-03-28_a0e7c2fdc42fbda497b3ab58d0be47cf_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-03-28_a0e7c2fdc42fbda497b3ab58d0be47cf_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-28_a0e7c2fdc42fbda497b3ab58d0be47cf_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Users\Admin\AppData\Local\Temp\retln.exe
  "C:\Users\Admin\AppData\Local\Temp\retln.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\retln.exe

Filesize
37KB

MD5
41adcc66d4981d13a2419c280327de8a

SHA1
a4aba465396adf4b24bac3d3fda6f8d16442c47a

SHA256
e936263cdfc3bbad0011ed5d5a6ff10dbd8d7fcde7da572dbda64ca5459aed1e

SHA512
fccab85656c9be7616f3f867fb8545b05fe6eb1a04fb125e4f743381211ebc9ebfbf3a439c8b9d2f18189fd31baf560e9dfa919f99a2942ddf954b4458569ca3

Download Submit
memory/2344-0-0x0000000000380000-0x0000000000386000-memory.dmp

Filesize
24KB

Download
memory/2344-2-0x0000000000380000-0x0000000000386000-memory.dmp

Filesize
24KB

Download
memory/2344-1-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2840-23-0x00000000003F0000-0x00000000003F6000-memory.dmp

Filesize
24KB

Download