Overview

overview

10

Static

static

10

2024-05-01...er.exe

windows7-x64

9

2024-05-01...er.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    143s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/05/2024, 21:34 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-05-01_de457d4cfe116818344677ffe51e8ecf_cryptolocker.exe

  • Size

    46KB

  • MD5

    de457d4cfe116818344677ffe51e8ecf

  • SHA1

    a53eb52d5f76a3a6eb2dc3a8ed1cbb9daa19ff4c

  • SHA256

    f9cf47e1b055ac5518cef2f79f5a3c5f763cf951fc19ddd697f24c462d9429a3

  • SHA512

    af3f63734bd5892db88e1c026963a62646b3a63301227ef6c0bf0ddf854f70001e9ea712178f3721d808e4aeb7e2191a4699108388672ab661de62fcceb6f442

  • SSDEEP

    768:V6LsoEEeegiZPvEhHSG+gDYQtOOtEvwDpj/MLam5aFr7YOzzfm0EXsil:V6QFElP6n+gMQMOtEvwDpjyaYaFAh39l

Score
9/10

Malware Config

Signatures

  • Detection of CryptoLocker Variants 1 IoCs
  • Detection of Cryptolocker Samples 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-05-01_de457d4cfe116818344677ffe51e8ecf_cryptolocker.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-05-01_de457d4cfe116818344677ffe51e8ecf_cryptolocker.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4076
    • C:\Users\Admin\AppData\Local\Temp\asih.exe
      "C:\Users\Admin\AppData\Local\Temp\asih.exe"
      2⤵
      • Executes dropped EXE
      PID:1404
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3684 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:672

    Network

    • flag-us
      DNS
      13.86.106.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      13.86.106.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      emrlogistics.com
      asih.exe
      Remote address:
      8.8.8.8:53
      Request
      emrlogistics.com
      IN A
      Response
      emrlogistics.com
      IN CNAME
      traff-5.hugedomains.com
      traff-5.hugedomains.com
      IN CNAME
      hdr-nlb7-aebd5d615260636b.elb.us-east-1.amazonaws.com
      hdr-nlb7-aebd5d615260636b.elb.us-east-1.amazonaws.com
      IN A
      34.205.242.146
      hdr-nlb7-aebd5d615260636b.elb.us-east-1.amazonaws.com
      IN A
      54.161.222.85
    • flag-us
      DNS
      240.197.17.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      240.197.17.2.in-addr.arpa
      IN PTR
      Response
      240.197.17.2.in-addr.arpa
      IN PTR
      a2-17-197-240deploystaticakamaitechnologiescom
    • flag-us
      DNS
      74.32.126.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      74.32.126.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      196.249.167.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      196.249.167.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      209.205.72.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      209.205.72.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      183.59.114.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      183.59.114.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      198.187.3.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      198.187.3.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      25.14.97.104.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      25.14.97.104.in-addr.arpa
      IN PTR
      Response
      25.14.97.104.in-addr.arpa
      IN PTR
      a104-97-14-25deploystaticakamaitechnologiescom
    • flag-us
      DNS
      chromewebstore.googleapis.com
      Remote address:
      8.8.8.8:53
      Request
      chromewebstore.googleapis.com
      IN A
    • flag-us
      DNS
      chromewebstore.googleapis.com
      Remote address:
      8.8.8.8:53
      Request
      chromewebstore.googleapis.com
      IN Unknown
      Response
    • flag-us
      DNS
      chromewebstore.googleapis.com
      Remote address:
      8.8.8.8:53
      Request
      chromewebstore.googleapis.com
      IN A
      Response
      chromewebstore.googleapis.com
      IN A
      216.58.204.74
      chromewebstore.googleapis.com
      IN A
      216.58.213.10
      chromewebstore.googleapis.com
      IN A
      172.217.169.10
      chromewebstore.googleapis.com
      IN A
      216.58.212.202
      chromewebstore.googleapis.com
      IN A
      216.58.212.234
      chromewebstore.googleapis.com
      IN A
      172.217.169.74
      chromewebstore.googleapis.com
      IN A
      142.250.179.234
      chromewebstore.googleapis.com
      IN A
      142.250.180.10
      chromewebstore.googleapis.com
      IN A
      142.250.187.202
      chromewebstore.googleapis.com
      IN A
      142.250.187.234
      chromewebstore.googleapis.com
      IN A
      142.250.178.10
      chromewebstore.googleapis.com
      IN A
      172.217.16.234
      chromewebstore.googleapis.com
      IN A
      142.250.200.10
      chromewebstore.googleapis.com
      IN A
      142.250.200.42
      chromewebstore.googleapis.com
      IN A
      216.58.201.106
    • flag-us
      DNS
      pki.goog
      Remote address:
      8.8.8.8:53
      Request
      pki.goog
      IN A
      Response
      pki.goog
      IN A
      216.239.32.29
    • flag-us
      DNS
      pki.goog
      Remote address:
      8.8.8.8:53
      Request
      pki.goog
      IN Unknown
      Response
    • flag-us
      GET
      http://pki.goog/gsr1/gsr1.crt
      Remote address:
      216.239.32.29:80
      Request
      GET /gsr1/gsr1.crt HTTP/1.1
      Host: pki.goog
      Connection: keep-alive
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Edg/122.0.0.0
      Accept-Encoding: gzip, deflate
      Accept-Language: en-US,en;q=0.9
      Response
      HTTP/1.1 200 OK
      Accept-Ranges: bytes
      Content-Encoding: gzip
      Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
      Cross-Origin-Resource-Policy: cross-origin
      Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
      Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
      Content-Length: 797
      X-Content-Type-Options: nosniff
      Server: sffe
      X-XSS-Protection: 0
      Date: Wed, 01 May 2024 21:32:25 GMT
      Expires: Wed, 01 May 2024 22:22:25 GMT
      Cache-Control: public, max-age=3000
      Age: 179
      Last-Modified: Wed, 20 May 2020 16:45:00 GMT
      Content-Type: application/pkix-cert
      Vary: Accept-Encoding
    • flag-us
      GET
      http://pki.goog/repo/certs/gtsr1.der
      Remote address:
      216.239.32.29:80
      Request
      GET /repo/certs/gtsr1.der HTTP/1.1
      Host: pki.goog
      Connection: keep-alive
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Edg/122.0.0.0
      Accept-Encoding: gzip, deflate
      Accept-Language: en-US,en;q=0.9
      Response
      HTTP/1.1 200 OK
      Accept-Ranges: bytes
      Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
      Cross-Origin-Resource-Policy: cross-origin
      Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
      Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
      Content-Length: 1371
      X-Content-Type-Options: nosniff
      Server: sffe
      X-XSS-Protection: 0
      Date: Wed, 01 May 2024 21:20:57 GMT
      Expires: Wed, 01 May 2024 22:10:57 GMT
      Cache-Control: public, max-age=3000
      Age: 867
      Last-Modified: Sun, 25 Jun 2023 02:58:00 GMT
      Content-Type: application/pkix-cert
      Vary: Accept-Encoding
    • flag-us
      GET
      http://pki.goog/repo/certs/gts1c3.der
      Remote address:
      216.239.32.29:80
      Request
      GET /repo/certs/gts1c3.der HTTP/1.1
      Host: pki.goog
      Connection: keep-alive
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Edg/122.0.0.0
      Accept-Encoding: gzip, deflate
      Accept-Language: en-US,en;q=0.9
      Response
      HTTP/1.1 200 OK
      Accept-Ranges: bytes
      Content-Encoding: gzip
      Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
      Cross-Origin-Resource-Policy: cross-origin
      Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
      Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
      Content-Length: 1304
      X-Content-Type-Options: nosniff
      Server: sffe
      X-XSS-Protection: 0
      Date: Wed, 01 May 2024 21:22:09 GMT
      Expires: Wed, 01 May 2024 22:12:09 GMT
      Cache-Control: public, max-age=3000
      Age: 795
      Last-Modified: Mon, 17 Aug 2020 09:45:00 GMT
      Content-Type: application/pkix-cert
      Vary: Accept-Encoding
    • flag-us
      DNS
      74.204.58.216.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      74.204.58.216.in-addr.arpa
      IN PTR
      Response
      74.204.58.216.in-addr.arpa
      IN PTR
      lhr25s13-in-f101e100net
      74.204.58.216.in-addr.arpa
      IN PTR
      lhr48s49-in-f10�H
      74.204.58.216.in-addr.arpa
      IN PTR
      lhr25s13-in-f74�H
    • flag-us
      DNS
      29.32.239.216.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      29.32.239.216.in-addr.arpa
      IN PTR
      Response
      29.32.239.216.in-addr.arpa
      IN PTR
      any-in-201d1e100net
    • flag-us
      DNS
      249.197.17.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      249.197.17.2.in-addr.arpa
      IN PTR
      Response
      249.197.17.2.in-addr.arpa
      IN PTR
      a2-17-197-249deploystaticakamaitechnologiescom
    • flag-us
      DNS
      14.227.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      14.227.111.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      10.179.89.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      10.179.89.13.in-addr.arpa
      IN PTR
      Response
    • 34.205.242.146:443
      emrlogistics.com
      asih.exe
      260 B
       5
    • 54.161.222.85:443
      emrlogistics.com
      asih.exe
      260 B
       5
    • 216.58.204.74:443
      chromewebstore.googleapis.com
      tls
      1.0kB
       5.2kB
       8
      8
    • 216.239.32.29:80
      http://pki.goog/repo/certs/gts1c3.der
      http
      1.3kB
       6.1kB
       10
      10

      HTTP Request

      GET http://pki.goog/gsr1/gsr1.crt

      HTTP Response

      200

      HTTP Request

      GET http://pki.goog/repo/certs/gtsr1.der

      HTTP Response

      200

      HTTP Request

      GET http://pki.goog/repo/certs/gts1c3.der

      HTTP Response

      200
    • 34.205.242.146:443
      emrlogistics.com
      asih.exe
      260 B
       5
    • 54.161.222.85:443
      emrlogistics.com
      asih.exe
      260 B
       5
    • 34.205.242.146:443
      emrlogistics.com
      asih.exe
      260 B
       5
    • 54.161.222.85:443
      emrlogistics.com
      asih.exe
      260 B
       5
    • 34.205.242.146:443
      emrlogistics.com
      asih.exe
      260 B
       5
    • 8.8.8.8:53
      13.86.106.20.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      13.86.106.20.in-addr.arpa

    • 8.8.8.8:53
      emrlogistics.com
      dns
      asih.exe
      62 B
       192 B
       1
      1

      DNS Request

      emrlogistics.com

      DNS Response

      34.205.242.146
      54.161.222.85

    • 8.8.8.8:53
      240.197.17.2.in-addr.arpa
      dns
      71 B
       135 B
       1
      1

      DNS Request

      240.197.17.2.in-addr.arpa

    • 8.8.8.8:53
      74.32.126.40.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      74.32.126.40.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
       144 B
       1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      196.249.167.52.in-addr.arpa
      dns
      73 B
       147 B
       1
      1

      DNS Request

      196.249.167.52.in-addr.arpa

    • 8.8.8.8:53
      209.205.72.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      209.205.72.20.in-addr.arpa

    • 8.8.8.8:53
      183.59.114.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      183.59.114.20.in-addr.arpa

    • 8.8.8.8:53
      198.187.3.20.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      198.187.3.20.in-addr.arpa

    • 8.8.8.8:53
      25.14.97.104.in-addr.arpa
      dns
      71 B
       135 B
       1
      1

      DNS Request

      25.14.97.104.in-addr.arpa

    • 8.8.8.8:53
      chromewebstore.googleapis.com
      dns
      75 B
       1

      DNS Request

      chromewebstore.googleapis.com

    • 8.8.8.8:53
      chromewebstore.googleapis.com
      dns
      75 B
       132 B
       1
      1

      DNS Request

      chromewebstore.googleapis.com

    • 8.8.8.8:53
      chromewebstore.googleapis.com
      dns
      75 B
       315 B
       1
      1

      DNS Request

      chromewebstore.googleapis.com

      DNS Response

      216.58.204.74
      216.58.213.10
      172.217.169.10
      216.58.212.202
      216.58.212.234
      172.217.169.74
      142.250.179.234
      142.250.180.10
      142.250.187.202
      142.250.187.234
      142.250.178.10
      172.217.16.234
      142.250.200.10
      142.250.200.42
      216.58.201.106

    • 8.8.8.8:53
      pki.goog
      dns
      54 B
       70 B
       1
      1

      DNS Request

      pki.goog

      DNS Response

      216.239.32.29

    • 8.8.8.8:53
      pki.goog
      dns
      54 B
       128 B
       1
      1

      DNS Request

      pki.goog

    • 8.8.8.8:53
      74.204.58.216.in-addr.arpa
      dns
      72 B
       171 B
       1
      1

      DNS Request

      74.204.58.216.in-addr.arpa

    • 8.8.8.8:53
      29.32.239.216.in-addr.arpa
      dns
      72 B
       107 B
       1
      1

      DNS Request

      29.32.239.216.in-addr.arpa

    • 8.8.8.8:53
      249.197.17.2.in-addr.arpa
      dns
      71 B
       135 B
       1
      1

      DNS Request

      249.197.17.2.in-addr.arpa

    • 8.8.8.8:53
      14.227.111.52.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      14.227.111.52.in-addr.arpa

    • 8.8.8.8:53
      10.179.89.13.in-addr.arpa
      dns
      71 B
       145 B
       1
      1

      DNS Request

      10.179.89.13.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\asih.exe
      Filesize

      46KB

      MD5

      78d337ad4a21aa0f56b609eee8fb6e20

      SHA1

      0723a0b0fda4468e66a4e7d687b930045273906d

      SHA256

      1caf20d44d3f26f13effa9687139e3cdfa35577289b5070fb4bd5a0f614056d6

      SHA512

      8dba946c11ed1e093206332e73a36676220a6a0f02ccce0d87e834c3ec011be07510a7dafeae7885f3030088ed39f91ad8a626398c6d3cd709d03ae01e04bbf4

      Download Submit

    • memory/1404-17-0x00000000006A0000-0x00000000006A6000-memory.dmp

      Filesize

      24KB

      Download

    • memory/1404-18-0x00000000007D0000-0x00000000007D6000-memory.dmp

      Filesize

      24KB

      Download

    • memory/4076-0-0x0000000002050000-0x0000000002056000-memory.dmp

      Filesize

      24KB

      Download

    • memory/4076-1-0x0000000002050000-0x0000000002056000-memory.dmp

      Filesize

      24KB

      Download

    • memory/4076-2-0x0000000002100000-0x0000000002106000-memory.dmp

      Filesize

      24KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.