Analysis
-
max time kernel
17s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
22-05-2024 02:26
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-22_22649df334759e7a643e262d096ddb8c_cryptolocker.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
2024-05-22_22649df334759e7a643e262d096ddb8c_cryptolocker.exe
Resource
win10v2004-20240508-en
General
-
Target
2024-05-22_22649df334759e7a643e262d096ddb8c_cryptolocker.exe
-
Size
44KB
-
MD5
22649df334759e7a643e262d096ddb8c
-
SHA1
9fc93bd59703c48b75229386e7bc17d7576af28f
-
SHA256
deb383b85841d693970bdb57a8f3512958526727cab3c5ff6a413f3fa1415721
-
SHA512
2512e8d5c00b00bd87aed74faa3da28540992a37259940d9894bb387e95e359e494bce53b9863bc2d73cfafd3e28b1d114170c2604376d37db980710cb9b2ded
-
SSDEEP
768:b/yC4GyNM01GuQMNXw2PSjHPbSuYlW8PA4DwOoJR:b/pYayGig5HjS3NPAuwf/
Malware Config
Signatures
-
Detection of CryptoLocker Variants 1 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\retln.exe CryptoLocker_rule2 -
Executes dropped EXE 1 IoCs
Processes:
retln.exepid process 2000 retln.exe -
Loads dropped DLL 1 IoCs
Processes:
2024-05-22_22649df334759e7a643e262d096ddb8c_cryptolocker.exepid process 624 2024-05-22_22649df334759e7a643e262d096ddb8c_cryptolocker.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of UnmapMainImage 2 IoCs
Processes:
2024-05-22_22649df334759e7a643e262d096ddb8c_cryptolocker.exeretln.exepid process 624 2024-05-22_22649df334759e7a643e262d096ddb8c_cryptolocker.exe 2000 retln.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
2024-05-22_22649df334759e7a643e262d096ddb8c_cryptolocker.exedescription pid process target process PID 624 wrote to memory of 2000 624 2024-05-22_22649df334759e7a643e262d096ddb8c_cryptolocker.exe retln.exe PID 624 wrote to memory of 2000 624 2024-05-22_22649df334759e7a643e262d096ddb8c_cryptolocker.exe retln.exe PID 624 wrote to memory of 2000 624 2024-05-22_22649df334759e7a643e262d096ddb8c_cryptolocker.exe retln.exe PID 624 wrote to memory of 2000 624 2024-05-22_22649df334759e7a643e262d096ddb8c_cryptolocker.exe retln.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-22_22649df334759e7a643e262d096ddb8c_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-22_22649df334759e7a643e262d096ddb8c_cryptolocker.exe"1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\retln.exe"C:\Users\Admin\AppData\Local\Temp\retln.exe"2⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\retln.exeFilesize
44KB
MD54a6b1dd3e97767a1f58cf78138fa7c71
SHA14f09c9d1e58386e4b564811359ed3665d754b16f
SHA256b38894a95457d00a662165ec556330caa461ce24a6dfbeb2733655da14bbaffc
SHA5124c127cad5d1fc92e652cdd101e7ddf376c2126af60c7d532bca447726534e59bbb12b1198ce37e2ce7d84032705699f52cc79228581d9e9166fb0a09da3c4736
-
memory/624-0-0x0000000000280000-0x0000000000286000-memory.dmpFilesize
24KB
-
memory/624-1-0x0000000000280000-0x0000000000286000-memory.dmpFilesize
24KB
-
memory/624-2-0x0000000000400000-0x0000000000406000-memory.dmpFilesize
24KB
-
memory/2000-23-0x0000000000350000-0x0000000000356000-memory.dmpFilesize
24KB