97e614ba95c1ff59ca4b0a2c810d23a032db15b87b3f085b7f8df8a8864e1c1e

Analysis

max time kernel
14s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05/10/2024, 21:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-05_b1eca4ae906fd5778427633d4588a1de_cryptolocker.exe
Size

30KB
MD5

b1eca4ae906fd5778427633d4588a1de
SHA1

ba958fe4df7fa970072ebb0c292ed65474436973
SHA256

97e614ba95c1ff59ca4b0a2c810d23a032db15b87b3f085b7f8df8a8864e1c1e
SHA512

26faafc49438bb8b5449730554b579d7a3ca80162d3d6b3be2bb38b9238d2032b93c1e827cf908c2c559bdf77c7255de89f75391a336604eca69049377d5fbb0
SSDEEP

384:bM7Q0pjC4GybxMv01d3AcASBQMf6i/zzzcYgUPSznCa:b/yC4GyNM01GuQMNXw2PSjH

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2392	retln.exe

Loads dropped DLL 1 IoCs

pid	Process
2544	2024-10-05_b1eca4ae906fd5778427633d4588a1de_cryptolocker.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-05_b1eca4ae906fd5778427633d4588a1de_cryptolocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	retln.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2544	2024-10-05_b1eca4ae906fd5778427633d4588a1de_cryptolocker.exe
2392	retln.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2544 wrote to memory of 2392	2544	2024-10-05_b1eca4ae906fd5778427633d4588a1de_cryptolocker.exe	30
PID 2544 wrote to memory of 2392	2544	2024-10-05_b1eca4ae906fd5778427633d4588a1de_cryptolocker.exe	30
PID 2544 wrote to memory of 2392	2544	2024-10-05_b1eca4ae906fd5778427633d4588a1de_cryptolocker.exe	30
PID 2544 wrote to memory of 2392	2544	2024-10-05_b1eca4ae906fd5778427633d4588a1de_cryptolocker.exe	30

C:\Users\Admin\AppData\Local\Temp\2024-10-05_b1eca4ae906fd5778427633d4588a1de_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-05_b1eca4ae906fd5778427633d4588a1de_cryptolocker.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2544
- C:\Users\Admin\AppData\Local\Temp\retln.exe
  "C:\Users\Admin\AppData\Local\Temp\retln.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of UnmapMainImage
  PID:2392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\retln.exe

Filesize
30KB

MD5
292801ca71b3aab4466501563ba0db51

SHA1
0dfa2809eb445ad0666953b21959c7c87b774220

SHA256
75260fa4b7a531336c9803555c563682777dee688e13683903de4908b88c2383

SHA512
76787f8087bbefd85c9af797354401330c9c30a9a189a86a6f2eac35338ff41cde8493b3e1be7dc3c3aece29787d10804488e93d3438fcc367a1c0bd4b4db53a

Download Submit
memory/2392-16-0x0000000000430000-0x0000000000436000-memory.dmp

Filesize
24KB

Download
memory/2544-0-0x00000000003B0000-0x00000000003B6000-memory.dmp

Filesize
24KB

Download
memory/2544-8-0x00000000003B0000-0x00000000003B6000-memory.dmp

Filesize
24KB

Download
memory/2544-1-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download