633e50597a6375c12d19038f11b1fe1550509c93f60a38b7d6410b2cc9dbd0e5

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31-10-2024 08:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-31_b07d3e99fdbc1cac69fe27a9da694514_cryptolocker.exe
Size

44KB
MD5

b07d3e99fdbc1cac69fe27a9da694514
SHA1

bfebbb1c4ae7b9e9d8ccf440efaa4a00095c13cd
SHA256

633e50597a6375c12d19038f11b1fe1550509c93f60a38b7d6410b2cc9dbd0e5
SHA512

f9bebb8d76f7ad8b3d7b2a31dc740cd67e9e3621e6953d8a69d4053c94fedadcfa7d057e1d15e9f4312c880f07516b78fedf08e540a001359b850e70e9030b9f
SSDEEP

768:bQyC4GyNM01GuQMNXwXOQ69zbjlAAX5e9zT:bQpYayGiAizbR9XwzT

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	2024-10-31_b07d3e99fdbc1cac69fe27a9da694514_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
3952	retln.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	retln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-31_b07d3e99fdbc1cac69fe27a9da694514_cryptolocker.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4716 wrote to memory of 3952	4716	2024-10-31_b07d3e99fdbc1cac69fe27a9da694514_cryptolocker.exe	85
PID 4716 wrote to memory of 3952	4716	2024-10-31_b07d3e99fdbc1cac69fe27a9da694514_cryptolocker.exe	85
PID 4716 wrote to memory of 3952	4716	2024-10-31_b07d3e99fdbc1cac69fe27a9da694514_cryptolocker.exe	85

C:\Users\Admin\AppData\Local\Temp\2024-10-31_b07d3e99fdbc1cac69fe27a9da694514_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-31_b07d3e99fdbc1cac69fe27a9da694514_cryptolocker.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4716
- C:\Users\Admin\AppData\Local\Temp\retln.exe
  "C:\Users\Admin\AppData\Local\Temp\retln.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\retln.exe

Filesize
44KB

MD5
47c2994d4f8be6370c55a329c65af586

SHA1
075bda4635e1d19c56ce3bd6bcb2cb2c37719c27

SHA256
b2c6fe205bbe3dea4f7cee1073eff88cb1f43d1477ac10ca4cee1d643d3680df

SHA512
5eb9757d844b1dc8e241ff9c3caa9c2b294a8682d4bd82e3b72628f1c5a416e28b85c409f8bb1f11a8c9f7c05c569a6f1725ad1be43fb4635d9e1c5417a0a53f

Download Submit
memory/3952-25-0x0000000002350000-0x0000000002356000-memory.dmp

Filesize
24KB

Download
memory/4716-0-0x00000000021D0000-0x00000000021D6000-memory.dmp

Filesize
24KB

Download
memory/4716-1-0x00000000021D0000-0x00000000021D6000-memory.dmp

Filesize
24KB

Download
memory/4716-2-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download