ef35804d36317ba198330fc738f1e9c54baf8d5eb68d2d0f019f998b61aec1b5

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
29-05-2024 06:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-29_147ea930e8b1498b05037d6e7aeecef0_cryptolocker.exe
Size

33KB
MD5

147ea930e8b1498b05037d6e7aeecef0
SHA1

181675cd1dcec509a1ed72d97679f697285b5cc1
SHA256

ef35804d36317ba198330fc738f1e9c54baf8d5eb68d2d0f019f998b61aec1b5
SHA512

f04d4e1f4333b91fe1991e89e4b93025586803f57eba708e66e58565f6bd39781ad7c45524ef6d4695e2a0caece6eb6ab72e82547de7108d6477366a8bafbbd1
SSDEEP

384:bM7Q0pjC4GybxMv01d3AcASBQMf6i/zzzcYgUPSznStEkcsgqza:b/yC4GyNM01GuQMNXw2PSjSKkcJ7

Score

9^/10

discovery

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x000b00000001223a-10.dat	CryptoLocker_rule2

Executes dropped EXE 1 IoCs

pid	Process
2504	retln.exe

Loads dropped DLL 1 IoCs

pid	Process
1904	2024-05-29_147ea930e8b1498b05037d6e7aeecef0_cryptolocker.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1904	2024-05-29_147ea930e8b1498b05037d6e7aeecef0_cryptolocker.exe
2504	retln.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1904 wrote to memory of 2504	1904	2024-05-29_147ea930e8b1498b05037d6e7aeecef0_cryptolocker.exe	28
PID 1904 wrote to memory of 2504	1904	2024-05-29_147ea930e8b1498b05037d6e7aeecef0_cryptolocker.exe	28
PID 1904 wrote to memory of 2504	1904	2024-05-29_147ea930e8b1498b05037d6e7aeecef0_cryptolocker.exe	28
PID 1904 wrote to memory of 2504	1904	2024-05-29_147ea930e8b1498b05037d6e7aeecef0_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-05-29_147ea930e8b1498b05037d6e7aeecef0_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-29_147ea930e8b1498b05037d6e7aeecef0_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1904
- C:\Users\Admin\AppData\Local\Temp\retln.exe
  "C:\Users\Admin\AppData\Local\Temp\retln.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\retln.exe

Filesize
34KB

MD5
d5e0e0f94b1fe117d42f5c50d6ce85fb

SHA1
a5e9f5adff84339530605063abf52b74135b7b66

SHA256
8bb3f8b565d12788c4c350e9c884a2ed62f63a4f1a69d1233bc5740ef311ba86

SHA512
f82eef39cc824a46f6d6524bedfffc2a32dd0d2446c9b6d24323d8f3de0790310666339d917cbadf5a3e4de1513a67d6bef667fbd110a00071d82c4262747a7f

Download Submit
memory/1904-0-0x0000000000380000-0x0000000000386000-memory.dmp

Filesize
24KB

Download
memory/1904-1-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1904-8-0x0000000000380000-0x0000000000386000-memory.dmp

Filesize
24KB

Download
memory/2504-23-0x00000000003F0000-0x00000000003F6000-memory.dmp

Filesize
24KB

Download