2e2a015237f4135a1ac2d56f18f71eedb5418c76c929a5bdfdd14ca9fd2c368c

Analysis

max time kernel
3s
max time network
74s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
20/04/2024, 03:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-20_5ff1c57ec0c3d7cff5c6c18b248c15a1_cryptolocker.exe
Size

32KB
MD5

5ff1c57ec0c3d7cff5c6c18b248c15a1
SHA1

deba142834d5d972afe4f52967d6028f980f229f
SHA256

2e2a015237f4135a1ac2d56f18f71eedb5418c76c929a5bdfdd14ca9fd2c368c
SHA512

a52fb0c51b765e7db17d0d95c23bfc9f892db209e3b9c09a16f47017b56d1f47fad5036027e85b9da0b98ee8eb40de398ee8931e14198de7d32206ea375e8563
SSDEEP

384:bM7Q0pjC4GybxMv01d3AcASBQMf6i/zzzcYgUPSznStEkcsP:b/yC4GyNM01GuQMNXw2PSjSKkck

Score

9^/10

discovery

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x000c000000012339-10.dat	CryptoLocker_rule2

Executes dropped EXE 1 IoCs

pid	Process
1720	retln.exe

Loads dropped DLL 1 IoCs

pid	Process
3068	2024-04-20_5ff1c57ec0c3d7cff5c6c18b248c15a1_cryptolocker.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3068	2024-04-20_5ff1c57ec0c3d7cff5c6c18b248c15a1_cryptolocker.exe
1720	retln.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 1720	3068	2024-04-20_5ff1c57ec0c3d7cff5c6c18b248c15a1_cryptolocker.exe	28
PID 3068 wrote to memory of 1720	3068	2024-04-20_5ff1c57ec0c3d7cff5c6c18b248c15a1_cryptolocker.exe	28
PID 3068 wrote to memory of 1720	3068	2024-04-20_5ff1c57ec0c3d7cff5c6c18b248c15a1_cryptolocker.exe	28
PID 3068 wrote to memory of 1720	3068	2024-04-20_5ff1c57ec0c3d7cff5c6c18b248c15a1_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-04-20_5ff1c57ec0c3d7cff5c6c18b248c15a1_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-20_5ff1c57ec0c3d7cff5c6c18b248c15a1_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Users\Admin\AppData\Local\Temp\retln.exe
  "C:\Users\Admin\AppData\Local\Temp\retln.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:1720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\retln.exe

Filesize
32KB

MD5
f7e58f91a12bcc7ff040555fe241ae2d

SHA1
d4b75ba82adc693c2ccbc12918008fc8b1ec8fb6

SHA256
436498692cc9cd18d2dfc125c8c09784801836456b443d249988ff638b121a03

SHA512
329445ab2aa16cb9123b5d7a94ad703557c2133ab2eaa75bae5b0c4e726d1918ddebee5f857ef1e1f4be082119b9b6523120d7494f3e88d1bb1a75ef72016e19

Download Submit
memory/1720-23-0x0000000000380000-0x0000000000386000-memory.dmp

Filesize
24KB

Download
memory/3068-0-0x00000000002C0000-0x00000000002C6000-memory.dmp

Filesize
24KB

Download
memory/3068-1-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/3068-8-0x00000000002C0000-0x00000000002C6000-memory.dmp

Filesize
24KB

Download