f1ce3c72a279883cc21c2ac7d70d45a7cf5ff5eac59d7456282c276c3c61293f

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 06:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-23_0857a43be9a5a77035b72d38cde3485a_cryptolocker.exe
Size

38KB
MD5

0857a43be9a5a77035b72d38cde3485a
SHA1

1e74ffd9861a8650c3ca7ebb489f65391d94c868
SHA256

f1ce3c72a279883cc21c2ac7d70d45a7cf5ff5eac59d7456282c276c3c61293f
SHA512

7042c12c160b3d8e55d97bc8d3b62c9fff1c75d8ffea4568186362a7a136e49f2384643b8c187d334191b31ee526bd4cab212a8fafb0e66af448f1c2a19875f1
SSDEEP

384:bM7Q0pjC4GybxMv01d3AcASBQMf6i/zzzcYgUPSzn1KkZCb9q8INBjPP8ui:b/yC4GyNM01GuQMNXw2PSj1Pqq8oBjU

Score

9^/10

discovery

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\retln.exe	CryptoLocker_rule2

Executes dropped EXE 1 IoCs

Processes:

retln.exe

pid process

2024 retln.exe
Loads dropped DLL 1 IoCs

Processes:

2024-05-23_0857a43be9a5a77035b72d38cde3485a_cryptolocker.exe

pid process

2984 2024-05-23_0857a43be9a5a77035b72d38cde3485a_cryptolocker.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of UnmapMainImage 2 IoCs

Processes:

2024-05-23_0857a43be9a5a77035b72d38cde3485a_cryptolocker.exeretln.exe

pid process

2984 2024-05-23_0857a43be9a5a77035b72d38cde3485a_cryptolocker.exe
2024 retln.exe

pid	process
2024	retln.exe

pid	process
2984	2024-05-23_0857a43be9a5a77035b72d38cde3485a_cryptolocker.exe

pid	process
2984	2024-05-23_0857a43be9a5a77035b72d38cde3485a_cryptolocker.exe
2024	retln.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

2024-05-23_0857a43be9a5a77035b72d38cde3485a_cryptolocker.exe

description	pid	process	target process
PID 2984 wrote to memory of 2024	2984	2024-05-23_0857a43be9a5a77035b72d38cde3485a_cryptolocker.exe	retln.exe
PID 2984 wrote to memory of 2024	2984	2024-05-23_0857a43be9a5a77035b72d38cde3485a_cryptolocker.exe	retln.exe
PID 2984 wrote to memory of 2024	2984	2024-05-23_0857a43be9a5a77035b72d38cde3485a_cryptolocker.exe	retln.exe
PID 2984 wrote to memory of 2024	2984	2024-05-23_0857a43be9a5a77035b72d38cde3485a_cryptolocker.exe	retln.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-23_0857a43be9a5a77035b72d38cde3485a_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-23_0857a43be9a5a77035b72d38cde3485a_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2984

C:\Users\Admin\AppData\Local\Temp\retln.exe
"C:\Users\Admin\AppData\Local\Temp\retln.exe"
2⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:2024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\retln.exe

Filesize
38KB

MD5
78049fde32276da07190cbd982da7373

SHA1
6b181f40affa8dd2a09811ea879c75a341b93ef8

SHA256
b62b8b016322ba746c3d6319c95bc94181b1d256c6b95d94795faa8e7a65c24e

SHA512
13006c70e8508c1f99e3573912c140b74b8039b810106eb61084ba9f2862281875cd76c3253d04774b9a36ee290ade0c5d58f231c52f3e3cffd5c4ce958b222c

Download Submit
memory/2024-23-0x00000000002D0000-0x00000000002D6000-memory.dmp

Filesize
24KB

Download
memory/2984-0-0x0000000000290000-0x0000000000296000-memory.dmp

Filesize
24KB

Download
memory/2984-1-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2984-8-0x0000000000290000-0x0000000000296000-memory.dmp

Filesize
24KB

Download