62136c2c2dbfd95c6713d5f7b68dc5cb24bc4be4e6a715a617223c93b8024e43

Analysis

max time kernel
153s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
24/04/2024, 17:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-24_ca57a9482746cb92b40a00b529dfb473_cryptolocker.exe
Size

32KB
MD5

ca57a9482746cb92b40a00b529dfb473
SHA1

79cb29b03a12c9cbe00a724ebe821ba850ad75a7
SHA256

62136c2c2dbfd95c6713d5f7b68dc5cb24bc4be4e6a715a617223c93b8024e43
SHA512

8320837e699ebbc9b9b68ee1edf420bfe578d0fbe5e2a96544ec247892a1e742e1159b5af1e978e410b3905d924cc10abca4fab9539b6c1d4c15a65bafe92227
SSDEEP

384:bM7Q0pjC4GybxMv01d3AcASBQMf6i/zzzcYgUPSznStEkcsgRu:b/yC4GyNM01GuQMNXw2PSjSKkcJRu

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral2/files/0x000a00000001ea83-12.dat	CryptoLocker_rule2

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	2024-04-24_ca57a9482746cb92b40a00b529dfb473_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
4992	retln.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2620 wrote to memory of 4992	2620	2024-04-24_ca57a9482746cb92b40a00b529dfb473_cryptolocker.exe	91
PID 2620 wrote to memory of 4992	2620	2024-04-24_ca57a9482746cb92b40a00b529dfb473_cryptolocker.exe	91
PID 2620 wrote to memory of 4992	2620	2024-04-24_ca57a9482746cb92b40a00b529dfb473_cryptolocker.exe	91

C:\Users\Admin\AppData\Local\Temp\2024-04-24_ca57a9482746cb92b40a00b529dfb473_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-24_ca57a9482746cb92b40a00b529dfb473_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2620
- C:\Users\Admin\AppData\Local\Temp\retln.exe
  "C:\Users\Admin\AppData\Local\Temp\retln.exe"
  2⤵
  - Executes dropped EXE
  PID:4992

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3996 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8
1⤵
PID:4988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\retln.exe

Filesize
33KB

MD5
db5cc6c9afe759a41aa7d62c21c2967e

SHA1
c39fa354fe080a10336b617c84c9df4b6a9c5da9

SHA256
e02a89e3fa9471ba392dcdfe25a1e6cb4d97748d00c994b768c1489e7adb81d5

SHA512
c43cfec087a38ebf9dbf148be72516700ff9e063c507a79a163d97d24e48c7e4f3be3b94f2dbbc2428a0c5a3656edece8a3921bfb7386acdb0c51ab8a0c4b0be

Download Submit
memory/2620-0-0x0000000002250000-0x0000000002256000-memory.dmp

Filesize
24KB

Download
memory/2620-1-0x0000000002250000-0x0000000002256000-memory.dmp

Filesize
24KB

Download
memory/2620-2-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/4992-20-0x0000000002D60000-0x0000000002D66000-memory.dmp

Filesize
24KB

Download