Analysis Overview
SHA256
aaaa3b43426637ca9cdc30e5066061264170cc93f5923d462addc1179877b7f0
Threat Level: Known bad
The file 2024-05-27_e86563b09645ddb7464fccb7d1fdd390_cryptolocker was found to be: Known bad.
Malicious Activity Summary
Detection of CryptoLocker Variants
Detection of CryptoLocker Variants
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Creates a large amount of network flows
Unsigned PE
Enumerates physical storage devices
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-27 18:46
Signatures
Detection of CryptoLocker Variants
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-27 18:46
Reported
2024-05-27 18:48
Platform
win7-20240221-en
Max time kernel
15s
Max time network
118s
Command Line
Signatures
Detection of CryptoLocker Variants
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\retln.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-27_e86563b09645ddb7464fccb7d1fdd390_cryptolocker.exe | N/A |
Creates a large amount of network flows
Enumerates physical storage devices
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-27_e86563b09645ddb7464fccb7d1fdd390_cryptolocker.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\retln.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1964 wrote to memory of 2984 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-27_e86563b09645ddb7464fccb7d1fdd390_cryptolocker.exe | C:\Users\Admin\AppData\Local\Temp\retln.exe |
| PID 1964 wrote to memory of 2984 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-27_e86563b09645ddb7464fccb7d1fdd390_cryptolocker.exe | C:\Users\Admin\AppData\Local\Temp\retln.exe |
| PID 1964 wrote to memory of 2984 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-27_e86563b09645ddb7464fccb7d1fdd390_cryptolocker.exe | C:\Users\Admin\AppData\Local\Temp\retln.exe |
| PID 1964 wrote to memory of 2984 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-27_e86563b09645ddb7464fccb7d1fdd390_cryptolocker.exe | C:\Users\Admin\AppData\Local\Temp\retln.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-27_e86563b09645ddb7464fccb7d1fdd390_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-27_e86563b09645ddb7464fccb7d1fdd390_cryptolocker.exe"
C:\Users\Admin\AppData\Local\Temp\retln.exe
"C:\Users\Admin\AppData\Local\Temp\retln.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
Files
memory/1964-0-0x00000000004F0000-0x00000000004F6000-memory.dmp
memory/1964-1-0x0000000000400000-0x0000000000406000-memory.dmp
memory/1964-8-0x00000000004F0000-0x00000000004F6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\retln.exe
| MD5 | 5a18fe9daecdbaf09b182090a767e194 |
| SHA1 | 4127c8c71f21f4f6152154197ba90bbfa5e94d4d |
| SHA256 | ed687604ab929336f77a256df9a14a15aa59299fe14a17f67c334ba12cd5521a |
| SHA512 | 620a138b7873df0a90e90f9633a12b7daabe34d9d112b8afa1b70328f9b7460fd60fc50032a607f8cb37ebc09791f6d3d8464e3e552877df34a60f37a4355f8d |
memory/2984-23-0x0000000000380000-0x0000000000386000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-27 18:46
Reported
2024-05-27 18:48
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
149s
Command Line
Signatures
Detection of CryptoLocker Variants
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2024-05-27_e86563b09645ddb7464fccb7d1fdd390_cryptolocker.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\retln.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4656 wrote to memory of 1204 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-27_e86563b09645ddb7464fccb7d1fdd390_cryptolocker.exe | C:\Users\Admin\AppData\Local\Temp\retln.exe |
| PID 4656 wrote to memory of 1204 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-27_e86563b09645ddb7464fccb7d1fdd390_cryptolocker.exe | C:\Users\Admin\AppData\Local\Temp\retln.exe |
| PID 4656 wrote to memory of 1204 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-27_e86563b09645ddb7464fccb7d1fdd390_cryptolocker.exe | C:\Users\Admin\AppData\Local\Temp\retln.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-27_e86563b09645ddb7464fccb7d1fdd390_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-27_e86563b09645ddb7464fccb7d1fdd390_cryptolocker.exe"
C:\Users\Admin\AppData\Local\Temp\retln.exe
"C:\Users\Admin\AppData\Local\Temp\retln.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | 96.136.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | 138.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
| US | 8.8.8.8:53 | storage-cabinets.info | udp |
Files
memory/4656-0-0x0000000002EA0000-0x0000000002EA6000-memory.dmp
memory/4656-1-0x0000000000400000-0x0000000000406000-memory.dmp
memory/4656-8-0x0000000002EA0000-0x0000000002EA6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\retln.exe
| MD5 | 5a18fe9daecdbaf09b182090a767e194 |
| SHA1 | 4127c8c71f21f4f6152154197ba90bbfa5e94d4d |
| SHA256 | ed687604ab929336f77a256df9a14a15aa59299fe14a17f67c334ba12cd5521a |
| SHA512 | 620a138b7873df0a90e90f9633a12b7daabe34d9d112b8afa1b70328f9b7460fd60fc50032a607f8cb37ebc09791f6d3d8464e3e552877df34a60f37a4355f8d |
memory/1204-25-0x0000000002160000-0x0000000002166000-memory.dmp