d819174d1c295682a4d192fd28759a2f6920fae132ebb07c49f787d7a787d3be

Analysis

max time kernel
140s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
15/04/2024, 12:02 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-15_cc1a18fabb960c215d97fc94d8965877_cryptolocker.exe
Size

94KB
MD5

cc1a18fabb960c215d97fc94d8965877
SHA1

ecfe1ea4540642428b6d1579c92b1910b858c86a
SHA256

d819174d1c295682a4d192fd28759a2f6920fae132ebb07c49f787d7a787d3be
SHA512

4476be96162cfaffbfd56a716b4d110e4f05290f3235af3856e896e77377135eea24b953317c139f061c55617e99006277c518f0b412748d547f769b1a5eea5a
SSDEEP

1536:V6QFElP6n+gMQMOtEvwDpjQGYQbN/PKwMgo:V6a+pOtEvwDpjtzE

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral2/files/0x000a00000001ea83-12.dat	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

resource	yara_rule
behavioral2/files/0x000a00000001ea83-12.dat	CryptoLocker_set1

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	2024-04-15_cc1a18fabb960c215d97fc94d8965877_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
4972	asih.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2260 wrote to memory of 4972	2260	2024-04-15_cc1a18fabb960c215d97fc94d8965877_cryptolocker.exe	91
PID 2260 wrote to memory of 4972	2260	2024-04-15_cc1a18fabb960c215d97fc94d8965877_cryptolocker.exe	91
PID 2260 wrote to memory of 4972	2260	2024-04-15_cc1a18fabb960c215d97fc94d8965877_cryptolocker.exe	91

C:\Users\Admin\AppData\Local\Temp\2024-04-15_cc1a18fabb960c215d97fc94d8965877_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-15_cc1a18fabb960c215d97fc94d8965877_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:4972

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3904 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8
1⤵
PID:5544

Network

DNS

97.17.167.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

97.17.167.52.in-addr.arpa

IN PTR

Response
DNS

37.56.20.217.in-addr.arpa

Remote address:

8.8.8.8:53

Request

37.56.20.217.in-addr.arpa

IN PTR

Response
DNS

emrlogistics.com

asih.exe

Remote address:

8.8.8.8:53

Request

emrlogistics.com

IN A

Response

emrlogistics.com

IN CNAME

traff-1.hugedomains.com

traff-1.hugedomains.com

IN CNAME

hdr-nlb9-41371129e8304c29.elb.us-east-1.amazonaws.com

hdr-nlb9-41371129e8304c29.elb.us-east-1.amazonaws.com

IN A

52.71.57.184

hdr-nlb9-41371129e8304c29.elb.us-east-1.amazonaws.com

IN A

54.209.32.212
DNS

23.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

23.159.190.20.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

28.118.140.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

28.118.140.52.in-addr.arpa

IN PTR

Response
DNS

232.168.11.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

232.168.11.51.in-addr.arpa

IN PTR

Response
DNS

86.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

86.23.85.13.in-addr.arpa

IN PTR

Response
DNS

18.31.95.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.31.95.13.in-addr.arpa

IN PTR

Response
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
DNS

249.197.17.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

249.197.17.2.in-addr.arpa

IN PTR

Response

249.197.17.2.in-addr.arpa

IN PTR

a2-17-197-249deploystaticakamaitechnologiescom
DNS

19.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

19.229.111.52.in-addr.arpa

IN PTR

Response
DNS

215.143.182.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

215.143.182.52.in-addr.arpa

IN PTR

Response

52.71.57.184:443

emrlogistics.com

asih.exe

260 B
5
142.250.187.202:443

46 B
40 B
1
1
54.209.32.212:443

emrlogistics.com

asih.exe

260 B
5
52.71.57.184:443

emrlogistics.com

asih.exe

260 B
5
54.209.32.212:443

emrlogistics.com

asih.exe

260 B
5
52.71.57.184:443

emrlogistics.com

asih.exe

260 B
5
54.209.32.212:443

emrlogistics.com

asih.exe

260 B
5
52.71.57.184:443

emrlogistics.com

asih.exe

260 B
5

8.8.8.8:53

97.17.167.52.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

97.17.167.52.in-addr.arpa
8.8.8.8:53

37.56.20.217.in-addr.arpa

dns

71 B
131 B
1
1

DNS Request

37.56.20.217.in-addr.arpa
8.8.8.8:53

emrlogistics.com

dns

asih.exe

62 B
192 B
1
1

DNS Request

emrlogistics.com

DNS Response

52.71.57.184

54.209.32.212
8.8.8.8:53

23.159.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

23.159.190.20.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

28.118.140.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

28.118.140.52.in-addr.arpa
8.8.8.8:53

232.168.11.51.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

232.168.11.51.in-addr.arpa
8.8.8.8:53

18.31.95.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

18.31.95.13.in-addr.arpa
8.8.8.8:53

86.23.85.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

86.23.85.13.in-addr.arpa
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.210.232.199.in-addr.arpa
8.8.8.8:53

249.197.17.2.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

249.197.17.2.in-addr.arpa
8.8.8.8:53

19.229.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

19.229.111.52.in-addr.arpa
8.8.8.8:53

215.143.182.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

215.143.182.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
94KB

MD5
a0a055586aabe1e277e54ba968193993

SHA1
83c842b99f8faf0455fe15d34a4947719c1242a7

SHA256
17e92511b42a13e09f31e2ae34d6828d07a8245cd0b96efa0b42a3c7e28679f7

SHA512
0fe9eb71309d1c36373814d6c9ab5d07d0a3a2e08ec3f19ed95fafa3e249eb146bb5c8a9478600dd91464e5bc025ec6cd396c2c25d0ae0b01e58880f3ffbe21d

Download Submit
memory/2260-0-0x00000000005B0000-0x00000000005B6000-memory.dmp

Filesize
24KB

Download
memory/2260-1-0x00000000005B0000-0x00000000005B6000-memory.dmp

Filesize
24KB

Download
memory/2260-2-0x00000000005D0000-0x00000000005D6000-memory.dmp

Filesize
24KB

Download
memory/4972-17-0x00000000021C0000-0x00000000021C6000-memory.dmp

Filesize
24KB

Download
memory/4972-18-0x00000000006C0000-0x00000000006C6000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.