5d724596617254a897bc00213b5f6845c64deb8d0c0e1e432371784ef9217b0d

Analysis

max time kernel
117s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
04/06/2024, 05:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-04_86449b341d8ca32155a32f8a5330d2a8_cryptolocker.exe
Size

34KB
MD5

86449b341d8ca32155a32f8a5330d2a8
SHA1

470b54f2cfed2032fa5fe5170935826842252bc1
SHA256

5d724596617254a897bc00213b5f6845c64deb8d0c0e1e432371784ef9217b0d
SHA512

0e2c89bd0a7708a4f9880bded028dff87a27609180b28a1941c4a403c23a58b3835cd171ac7bda65fac46f73b01a132116dda3563a8192e313118627fde9510b
SSDEEP

384:bM7Q0pjC4GybxMv01d3AcASBQMf6i/zzzcYgUPSznStEkcsgqDxN:b/yC4GyNM01GuQMNXw2PSjSKkcJeN

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x0009000000014909-10.dat	CryptoLocker_rule2

Executes dropped EXE 1 IoCs

pid	Process
2548	retln.exe

Loads dropped DLL 1 IoCs

pid	Process
3048	2024-06-04_86449b341d8ca32155a32f8a5330d2a8_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3048	2024-06-04_86449b341d8ca32155a32f8a5330d2a8_cryptolocker.exe
2548	retln.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 2548	3048	2024-06-04_86449b341d8ca32155a32f8a5330d2a8_cryptolocker.exe	28
PID 3048 wrote to memory of 2548	3048	2024-06-04_86449b341d8ca32155a32f8a5330d2a8_cryptolocker.exe	28
PID 3048 wrote to memory of 2548	3048	2024-06-04_86449b341d8ca32155a32f8a5330d2a8_cryptolocker.exe	28
PID 3048 wrote to memory of 2548	3048	2024-06-04_86449b341d8ca32155a32f8a5330d2a8_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-06-04_86449b341d8ca32155a32f8a5330d2a8_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-04_86449b341d8ca32155a32f8a5330d2a8_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Users\Admin\AppData\Local\Temp\retln.exe
  "C:\Users\Admin\AppData\Local\Temp\retln.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\retln.exe

Filesize
34KB

MD5
d4c8b80d874a952c479e20904db75396

SHA1
11d7c3c604045784bffea03a812f3eda20f43b05

SHA256
d143916f4ec322b7d7470ecc9b0c6263ea569ade24588fb8c941754bc94bd2ed

SHA512
b9bb5a0c1b2e259346f280546b0efffd6b94da4aa192c3a85416bf11dada5e3df4b25161235fa0caad646ad4435e154ff186036dc36f8880d5e3475f38bde594

Download Submit
memory/2548-23-0x00000000003D0000-0x00000000003D6000-memory.dmp

Filesize
24KB

Download
memory/3048-0-0x0000000000340000-0x0000000000346000-memory.dmp

Filesize
24KB

Download
memory/3048-1-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/3048-7-0x0000000000340000-0x0000000000346000-memory.dmp

Filesize
24KB

Download