4a37718ed1d5562998067917a085fd11e360c2026b141e12df963b878bc22a15

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
18/02/2024, 03:39 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-18_71e70005cc72e17e2c50c9f7937bc2d0_cryptolocker.exe
Size

36KB
MD5

71e70005cc72e17e2c50c9f7937bc2d0
SHA1

6029d6ca2bf1dcf7401bd08568b9297bba43304b
SHA256

4a37718ed1d5562998067917a085fd11e360c2026b141e12df963b878bc22a15
SHA512

0103bdefc90ea3bcd5aa12433e1ae98fbd5f6c038116dd93220508f58822a9c7370905450f1f8e8d64fe01dfcf259f5bc5ecdc118c9f4849a760fbc94e27b373
SSDEEP

768:X6LsoEEeegiZPvEhHSG+gp/QtOOtEvwDpjBVaD3TP7DFCW:X6QFElP6n+gJQMOtEvwDpjBmzDUW

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023238-12.dat	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023238-12.dat	CryptoLocker_set1

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation	2024-02-18_71e70005cc72e17e2c50c9f7937bc2d0_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
3924	asih.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 976 wrote to memory of 3924	976	2024-02-18_71e70005cc72e17e2c50c9f7937bc2d0_cryptolocker.exe	83
PID 976 wrote to memory of 3924	976	2024-02-18_71e70005cc72e17e2c50c9f7937bc2d0_cryptolocker.exe	83
PID 976 wrote to memory of 3924	976	2024-02-18_71e70005cc72e17e2c50c9f7937bc2d0_cryptolocker.exe	83

C:\Users\Admin\AppData\Local\Temp\2024-02-18_71e70005cc72e17e2c50c9f7937bc2d0_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-18_71e70005cc72e17e2c50c9f7937bc2d0_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:976
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:3924

Network

DNS

133.211.185.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.211.185.52.in-addr.arpa

IN PTR

Response
DNS

173.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

173.178.17.96.in-addr.arpa

IN PTR

Response

173.178.17.96.in-addr.arpa

IN PTR

a96-17-178-173deploystaticakamaitechnologiescom
DNS

emrlogistics.com

asih.exe

Remote address:

8.8.8.8:53

Request

emrlogistics.com

IN A

Response

emrlogistics.com

IN CNAME

traff-4.hugedomains.com

traff-4.hugedomains.com

IN CNAME

hdr-nlb8-39c51fa8696874ee.elb.us-east-1.amazonaws.com

hdr-nlb8-39c51fa8696874ee.elb.us-east-1.amazonaws.com

IN A

52.86.6.113

hdr-nlb8-39c51fa8696874ee.elb.us-east-1.amazonaws.com

IN A

3.94.41.167
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

50.23.12.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

50.23.12.20.in-addr.arpa

IN PTR

Response
DNS

56.126.166.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

56.126.166.20.in-addr.arpa

IN PTR

Response
DNS

194.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

194.178.17.96.in-addr.arpa

IN PTR

Response

194.178.17.96.in-addr.arpa

IN PTR

a96-17-178-194deploystaticakamaitechnologiescom
DNS

22.236.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

22.236.111.52.in-addr.arpa

IN PTR

Response
DNS

26.178.89.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

26.178.89.13.in-addr.arpa

IN PTR

Response

52.86.6.113:443

emrlogistics.com

asih.exe

260 B
5
3.94.41.167:443

emrlogistics.com

asih.exe

260 B
5
52.86.6.113:443

emrlogistics.com

asih.exe

260 B
5
3.94.41.167:443

emrlogistics.com

asih.exe

260 B
5
52.86.6.113:443

emrlogistics.com

asih.exe

260 B
5
3.94.41.167:443

emrlogistics.com

asih.exe

260 B
5
52.86.6.113:443

emrlogistics.com

asih.exe

260 B
5
3.94.41.167:443

emrlogistics.com

asih.exe

52 B
1

8.8.8.8:53

133.211.185.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

133.211.185.52.in-addr.arpa
8.8.8.8:53

173.178.17.96.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

173.178.17.96.in-addr.arpa
8.8.8.8:53

emrlogistics.com

dns

asih.exe

62 B
192 B
1
1

DNS Request

emrlogistics.com

DNS Response

52.86.6.113

3.94.41.167
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

50.23.12.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

50.23.12.20.in-addr.arpa
8.8.8.8:53

56.126.166.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

56.126.166.20.in-addr.arpa
8.8.8.8:53

194.178.17.96.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

194.178.17.96.in-addr.arpa
8.8.8.8:53

22.236.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

22.236.111.52.in-addr.arpa
8.8.8.8:53

26.178.89.13.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

26.178.89.13.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
36KB

MD5
3af533734b17ae1cc4e7b641a6aa6296

SHA1
d748204989d576c2580296ed291a726fa07d6702

SHA256
995860fa520c2cd039a7000e3016ae0b701e5e1ff2483a7294f85f26a54b9e1b

SHA512
8d014378e4bd46aebbbf0fa5bd783e683e5053390b679331c210bede59aaf314337455b154bfc2fd641dd0891df64e36e1be924c0cdcaea2444cd1afe85a172c

Download Submit
memory/976-0-0x0000000002320000-0x0000000002326000-memory.dmp

Filesize
24KB

Download
memory/976-1-0x0000000002320000-0x0000000002326000-memory.dmp

Filesize
24KB

Download
memory/976-2-0x0000000002230000-0x0000000002236000-memory.dmp

Filesize
24KB

Download
memory/3924-18-0x00000000004F0000-0x00000000004F6000-memory.dmp

Filesize
24KB

Download
memory/3924-17-0x00000000004D0000-0x00000000004D6000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.