6c5b089c49f996f9a35bccc58e1783dcefa6db175f1740ae15d7abcdb54334be

Analysis

max time kernel
132s
max time network
144s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24/04/2024, 15:36 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-24_cadd61fd812d190ca5fdec881ca7f5c9_cryptolocker.exe
Size

64KB
MD5

cadd61fd812d190ca5fdec881ca7f5c9
SHA1

b8b6f5a94d7c1fd59fde3928149c99107d89a2ae
SHA256

6c5b089c49f996f9a35bccc58e1783dcefa6db175f1740ae15d7abcdb54334be
SHA512

b8502f68c038ef61b6d4eac2b3bc83e7e311e226191d1e75c016d1729734274aa9966f01f1b75354fc4e57247ddb119167191d5c4d6b2adffb20cde27224e04a
SSDEEP

1536:X6QFElP6n+gJQMOtEvwDpjBccD2RuoNmuBLZ/xblzoU:X6a+SOtEvwDpjBrOV

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x000b000000012247-10.dat	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

resource	yara_rule
behavioral1/files/0x000b000000012247-10.dat	CryptoLocker_set1

Executes dropped EXE 1 IoCs

pid	Process
3012	asih.exe

Loads dropped DLL 1 IoCs

pid	Process
2648	2024-04-24_cadd61fd812d190ca5fdec881ca7f5c9_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 3012	2648	2024-04-24_cadd61fd812d190ca5fdec881ca7f5c9_cryptolocker.exe	28
PID 2648 wrote to memory of 3012	2648	2024-04-24_cadd61fd812d190ca5fdec881ca7f5c9_cryptolocker.exe	28
PID 2648 wrote to memory of 3012	2648	2024-04-24_cadd61fd812d190ca5fdec881ca7f5c9_cryptolocker.exe	28
PID 2648 wrote to memory of 3012	2648	2024-04-24_cadd61fd812d190ca5fdec881ca7f5c9_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-04-24_cadd61fd812d190ca5fdec881ca7f5c9_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-24_cadd61fd812d190ca5fdec881ca7f5c9_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:3012

Network

DNS

emrlogistics.com

asih.exe

Remote address:

8.8.8.8:53

Request

emrlogistics.com

IN A

Response

emrlogistics.com

IN CNAME

traff-1.hugedomains.com

traff-1.hugedomains.com

IN CNAME

hdr-nlb9-41371129e8304c29.elb.us-east-1.amazonaws.com

hdr-nlb9-41371129e8304c29.elb.us-east-1.amazonaws.com

IN A

52.71.57.184

hdr-nlb9-41371129e8304c29.elb.us-east-1.amazonaws.com

IN A

54.209.32.212

52.71.57.184:443

emrlogistics.com

asih.exe

152 B
3
54.209.32.212:443

emrlogistics.com

asih.exe

152 B
3
52.71.57.184:443

emrlogistics.com

asih.exe

152 B
3
54.209.32.212:443

emrlogistics.com

asih.exe

152 B
3
52.71.57.184:443

emrlogistics.com

asih.exe

152 B
3
54.209.32.212:443

emrlogistics.com

asih.exe

152 B
3
52.71.57.184:443

emrlogistics.com

asih.exe

152 B
3

8.8.8.8:53

emrlogistics.com

dns

asih.exe

62 B
192 B
1
1

DNS Request

emrlogistics.com

DNS Response

52.71.57.184

54.209.32.212

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
64KB

MD5
6bed0898c4ffd397b3c52f743ead7b00

SHA1
b8da5cf6b9dd075df2a42a67dcd5001c402b2368

SHA256
95ac561d02998c8f4d44e7f0fd2390c61e5c2eb1f6455487d8be5a1bceb81ab8

SHA512
a4d3ca835e2a350e0af15dd6617c34621029ea6ab9d23484f1559772dcb92578950ace04a72309eecc38aec6aebc75635a845399e1d4f531a62238cbd31cbe30

Download Submit
memory/2648-0-0x00000000002C0000-0x00000000002C6000-memory.dmp

Filesize
24KB

Download
memory/2648-2-0x00000000002F0000-0x00000000002F6000-memory.dmp

Filesize
24KB

Download
memory/2648-1-0x00000000002C0000-0x00000000002C6000-memory.dmp

Filesize
24KB

Download
memory/3012-15-0x0000000000450000-0x0000000000456000-memory.dmp

Filesize
24KB

Download