3c051d226ff83af9630d5d8a67069e2f3d95961ebc232f4ffc818ac1a1586aa9

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
25-04-2024 03:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-25_33c42e2f5ede5f603f3857cb59bb74d1_cryptolocker.exe
Size

40KB
MD5

33c42e2f5ede5f603f3857cb59bb74d1
SHA1

449be65e61e1028f96995414073b752e24d23007
SHA256

3c051d226ff83af9630d5d8a67069e2f3d95961ebc232f4ffc818ac1a1586aa9
SHA512

b189992fd603e5011c6837ed2d382c4f2f687d4d72bad87c6d90e361ab2f42877c4d21c33312a2f1a286c9ff9e9961434f2bfc7ca4ca7d27207932c4e93f3d2a
SSDEEP

384:bM7Q0pjC4GybxMv01d3AcASBQMf6i/zzzcYgUPSznHzl6AJvDSuYlmoHR8uyp:b/yC4GyNM01GuQMNXw2PSjHPbSuYlZK

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral2/files/0x001c00000001e97e-12.dat	CryptoLocker_rule2

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	2024-04-25_33c42e2f5ede5f603f3857cb59bb74d1_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
548	retln.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1608 wrote to memory of 548	1608	2024-04-25_33c42e2f5ede5f603f3857cb59bb74d1_cryptolocker.exe	85
PID 1608 wrote to memory of 548	1608	2024-04-25_33c42e2f5ede5f603f3857cb59bb74d1_cryptolocker.exe	85
PID 1608 wrote to memory of 548	1608	2024-04-25_33c42e2f5ede5f603f3857cb59bb74d1_cryptolocker.exe	85

C:\Users\Admin\AppData\Local\Temp\2024-04-25_33c42e2f5ede5f603f3857cb59bb74d1_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-25_33c42e2f5ede5f603f3857cb59bb74d1_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1608
- C:\Users\Admin\AppData\Local\Temp\retln.exe
  "C:\Users\Admin\AppData\Local\Temp\retln.exe"
  2⤵
  - Executes dropped EXE
  PID:548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\retln.exe

Filesize
40KB

MD5
e2471933d2f6f981656d54c8676f350f

SHA1
5cbf6fd2b07e06d00c35c819b96f4002b627e6b2

SHA256
b7b51e59d3e8516263b07193fba494caf6ac5f57e47b1a9de29fc607b9a8c7eb

SHA512
af3535ac32ad4376d864fbe3e9fb6cedfb0e3d92ea7520a95ea322dde81ee4fb9360b96c87a1a1cdecd523d563639616104cfbed51561f22eff93f954067f7d3

Download Submit
memory/548-20-0x0000000000760000-0x0000000000766000-memory.dmp

Filesize
24KB

Download
memory/1608-0-0x00000000005A0000-0x00000000005A6000-memory.dmp

Filesize
24KB

Download
memory/1608-1-0x00000000005A0000-0x00000000005A6000-memory.dmp

Filesize
24KB

Download
memory/1608-2-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download