b6e00bd2607dc5f70c5c1a5f8887dbd00e12bd1ba2c6951dcf4f174c3d3248d4

General

Target

2024-01-22_ae8f7f05d74442d58624577dfed88fa2_cryptolocker.exe
Size

55KB
MD5

ae8f7f05d74442d58624577dfed88fa2
SHA1

3c2d3f9414b2c133661367f7d061654414a2e73e
SHA256

b6e00bd2607dc5f70c5c1a5f8887dbd00e12bd1ba2c6951dcf4f174c3d3248d4
SHA512

d02f21d51632641930275cbea1587375dba050f2e6f1fe787682f9e76d254741682c3b7f4720ccc0318238474c16f5112a820ab9990537387534d1d48ebde4ce
SSDEEP

1536:qmbhXDmjr5MOtEvwDpj5cDtKkQZQRKb61o:BbdDmjr+OtEvwDpjMa

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 6 IoCs

resource	yara_rule
behavioral1/memory/2752-1-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_rule2
behavioral1/files/0x000a000000013a1a-11.dat	CryptoLocker_rule2
behavioral1/memory/2752-13-0x00000000023A0000-0x00000000023B0000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/2752-16-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/3008-17-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/3008-27-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_rule2

Detection of Cryptolocker Samples 4 IoCs

resource	yara_rule
behavioral1/memory/2752-1-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_set1
behavioral1/memory/2752-16-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_set1
behavioral1/memory/3008-17-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_set1
behavioral1/memory/3008-27-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_set1

UPX dump on OEP (original entry point) 6 IoCs

resource	yara_rule
behavioral1/memory/2752-1-0x0000000000500000-0x0000000000510000-memory.dmp	UPX
behavioral1/files/0x000a000000013a1a-11.dat	UPX
behavioral1/memory/2752-13-0x00000000023A0000-0x00000000023B0000-memory.dmp	UPX
behavioral1/memory/2752-16-0x0000000000500000-0x0000000000510000-memory.dmp	UPX
behavioral1/memory/3008-17-0x0000000000500000-0x0000000000510000-memory.dmp	UPX
behavioral1/memory/3008-27-0x0000000000500000-0x0000000000510000-memory.dmp	UPX

Executes dropped EXE 1 IoCs

pid	Process
3008	asih.exe

Loads dropped DLL 1 IoCs

pid	Process
2752	2024-01-22_ae8f7f05d74442d58624577dfed88fa2_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2752 wrote to memory of 3008	2752	2024-01-22_ae8f7f05d74442d58624577dfed88fa2_cryptolocker.exe	28
PID 2752 wrote to memory of 3008	2752	2024-01-22_ae8f7f05d74442d58624577dfed88fa2_cryptolocker.exe	28
PID 2752 wrote to memory of 3008	2752	2024-01-22_ae8f7f05d74442d58624577dfed88fa2_cryptolocker.exe	28
PID 2752 wrote to memory of 3008	2752	2024-01-22_ae8f7f05d74442d58624577dfed88fa2_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-01-22_ae8f7f05d74442d58624577dfed88fa2_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-22_ae8f7f05d74442d58624577dfed88fa2_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2752
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:3008

Network

DNS

emrlogistics.com

asih.exe

Remote address:

8.8.8.8:53

Request

emrlogistics.com

IN A

Response

emrlogistics.com

IN CNAME

traff-5.hugedomains.com

traff-5.hugedomains.com

IN CNAME

hdr-nlb7-aebd5d615260636b.elb.us-east-1.amazonaws.com

hdr-nlb7-aebd5d615260636b.elb.us-east-1.amazonaws.com

IN A

54.161.222.85

hdr-nlb7-aebd5d615260636b.elb.us-east-1.amazonaws.com

IN A

34.205.242.146

54.161.222.85:443

emrlogistics.com

asih.exe

152 B
3
34.205.242.146:443

emrlogistics.com

asih.exe

152 B
3
54.161.222.85:443

emrlogistics.com

asih.exe

152 B
3
34.205.242.146:443

emrlogistics.com

asih.exe

152 B
3
54.161.222.85:443

emrlogistics.com

asih.exe

152 B
3
34.205.242.146:443

emrlogistics.com

asih.exe

152 B
3
54.161.222.85:443

emrlogistics.com

asih.exe

152 B
3
34.205.242.146:443

emrlogistics.com

asih.exe

52 B
1

8.8.8.8:53

emrlogistics.com

dns

asih.exe

62 B
192 B
1
1

DNS Request

emrlogistics.com

DNS Response

54.161.222.85

34.205.242.146

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
56KB

MD5
091bb4f3e837515c52fbe869eb5feb8e

SHA1
1148a05816da70310f708f7a006791e0d61ed0f5

SHA256
07cddc56f2b5bf1c0a96fd50aa777cef139938c2529900d2d3a6cf82272b2f93

SHA512
3bd632b113fa63b67ebd62b49fee97d201d3146bf35b5bd486adf97b534d3e6719b2dbede16c76c2cb0019017b5674c328dc5de5a3b2db1813cb1c0b8e83a052

Download Submit
memory/2752-0-0x0000000000250000-0x0000000000256000-memory.dmp

Filesize
24KB

Download
memory/2752-1-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2752-2-0x0000000000490000-0x0000000000496000-memory.dmp

Filesize
24KB

Download
memory/2752-8-0x0000000000250000-0x0000000000256000-memory.dmp

Filesize
24KB

Download
memory/2752-13-0x00000000023A0000-0x00000000023B0000-memory.dmp

Filesize
64KB

Download
memory/2752-16-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/3008-17-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/3008-19-0x0000000000460000-0x0000000000466000-memory.dmp

Filesize
24KB

Download
memory/3008-23-0x0000000000420000-0x0000000000426000-memory.dmp

Filesize
24KB

Download
memory/3008-27-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.