36ddc1933aa80c07fed726bc8e98c9a8e25c0403df92a3d8025ce12695051f8a

Analysis

max time kernel
13s
max time network
121s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
28/05/2024, 16:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-28_c028e905d163b5399bc4f0572f82a7e9_cryptolocker.exe
Size

38KB
MD5

c028e905d163b5399bc4f0572f82a7e9
SHA1

6b6f0971deb1022c4e14ba5ab7e495bbe0b62a36
SHA256

36ddc1933aa80c07fed726bc8e98c9a8e25c0403df92a3d8025ce12695051f8a
SHA512

97b1ed9d1c0d503a7bca790fa965af11f24c8abce3ab88700246ad840b9e3b454fb70d459ff42c43bacac1b65e7e280d1d24e59cb9b18145d9efb4b8a48dce6a
SSDEEP

384:bM7Q0pjC4GybxMv01d3AcASBQMf6i/zzzcYgUPSznHzl6A0X/EIjxuaPlby:b/yC4GyNM01GuQMNXw2PSjH+PPxVQ

Score

9^/10

discovery

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x000d00000001226c-10.dat	CryptoLocker_rule2

Executes dropped EXE 1 IoCs

pid	Process
2700	retln.exe

Loads dropped DLL 1 IoCs

pid	Process
2172	2024-05-28_c028e905d163b5399bc4f0572f82a7e9_cryptolocker.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2172	2024-05-28_c028e905d163b5399bc4f0572f82a7e9_cryptolocker.exe
2700	retln.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 2700	2172	2024-05-28_c028e905d163b5399bc4f0572f82a7e9_cryptolocker.exe	28
PID 2172 wrote to memory of 2700	2172	2024-05-28_c028e905d163b5399bc4f0572f82a7e9_cryptolocker.exe	28
PID 2172 wrote to memory of 2700	2172	2024-05-28_c028e905d163b5399bc4f0572f82a7e9_cryptolocker.exe	28
PID 2172 wrote to memory of 2700	2172	2024-05-28_c028e905d163b5399bc4f0572f82a7e9_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-05-28_c028e905d163b5399bc4f0572f82a7e9_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-28_c028e905d163b5399bc4f0572f82a7e9_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Users\Admin\AppData\Local\Temp\retln.exe
  "C:\Users\Admin\AppData\Local\Temp\retln.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\retln.exe

Filesize
38KB

MD5
01bb3b099170d257c9f4eb8424b3bd5d

SHA1
7a40d8260b8b3ed620378b1fea5ef2607624630a

SHA256
45429795fc7e6ae6054fe3cb702c080527e224a1c18994b2d9ece99cae7f7c0c

SHA512
e255aeba24d4eb7917a546dede2f3020f5f66eb46dd62fe3996ba8d732e6528a36ccc8d76d092a2150f79ccb737e25ed96ac3dd912ec4ebd2fad34cf58aaef5c

Download Submit
memory/2172-0-0x00000000002C0000-0x00000000002C6000-memory.dmp

Filesize
24KB

Download
memory/2172-1-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2172-8-0x00000000002C0000-0x00000000002C6000-memory.dmp

Filesize
24KB

Download
memory/2700-23-0x0000000000410000-0x0000000000416000-memory.dmp

Filesize
24KB

Download