Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
25-04-2024 04:27
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-25_1d724ddce55f1ce2147815da8ab7ee78_cryptolocker.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-04-25_1d724ddce55f1ce2147815da8ab7ee78_cryptolocker.exe
Resource
win10v2004-20240412-en
General
-
Target
2024-04-25_1d724ddce55f1ce2147815da8ab7ee78_cryptolocker.exe
-
Size
32KB
-
MD5
1d724ddce55f1ce2147815da8ab7ee78
-
SHA1
8bc9aa7eeffcf3aef8cbef501d9b1d77619cbd82
-
SHA256
88bf050abce7f8f23b57382e3c512a104e7fc22771c1da9c219e179f8105367d
-
SHA512
90cdc54d13b35cc8a69fa36f1ea5b0c739d385ed014662a817ace72f24257c155d4b6ca1ae09f24584e707ec277b24d672dcb2ac3974a2be6c95d610a7bdf099
-
SSDEEP
384:bM7Q0pjC4GybxMv01d3AcASBQMf6i/zzzcYgUPSznStEkcsgRO:b/yC4GyNM01GuQMNXw2PSjSKkcJRO
Malware Config
Signatures
-
Detection of CryptoLocker Variants 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\retln.exe CryptoLocker_rule2 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2024-04-25_1d724ddce55f1ce2147815da8ab7ee78_cryptolocker.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation 2024-04-25_1d724ddce55f1ce2147815da8ab7ee78_cryptolocker.exe -
Executes dropped EXE 1 IoCs
Processes:
retln.exepid process 3204 retln.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
2024-04-25_1d724ddce55f1ce2147815da8ab7ee78_cryptolocker.exedescription pid process target process PID 3020 wrote to memory of 3204 3020 2024-04-25_1d724ddce55f1ce2147815da8ab7ee78_cryptolocker.exe retln.exe PID 3020 wrote to memory of 3204 3020 2024-04-25_1d724ddce55f1ce2147815da8ab7ee78_cryptolocker.exe retln.exe PID 3020 wrote to memory of 3204 3020 2024-04-25_1d724ddce55f1ce2147815da8ab7ee78_cryptolocker.exe retln.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-25_1d724ddce55f1ce2147815da8ab7ee78_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-25_1d724ddce55f1ce2147815da8ab7ee78_cryptolocker.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\retln.exe"C:\Users\Admin\AppData\Local\Temp\retln.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\retln.exeFilesize
33KB
MD5f6f531fd44d9fa308a04dd2f15e6d1b0
SHA1fa59e3175ecd74f47e7cc5e490e49ce181a23922
SHA256e9d5d50d9d8a90ffb7a848d39b78cb4bd9a582e7e8e168463e855953ccd9d811
SHA512d669c43ec5d95fe795fc4ac3f2064eea265b5328a53af836af0213f3ea20c5d5d45babd793d3998d4ad4b63fe4fbbbe9beed79b28b86ae264ff0ecc45bb82807
-
memory/3020-0-0x00000000021D0000-0x00000000021D6000-memory.dmpFilesize
24KB
-
memory/3020-1-0x00000000021D0000-0x00000000021D6000-memory.dmpFilesize
24KB
-
memory/3020-2-0x0000000000400000-0x0000000000406000-memory.dmpFilesize
24KB
-
memory/3204-21-0x00000000020A0000-0x00000000020A6000-memory.dmpFilesize
24KB