74a688f2c1dab558d14a5b8b2e2b6f2ca68c94ff53fe680966c2b8fdf5d82045

Analysis

max time kernel
149s
max time network
155s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09/05/2024, 14:33 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-09_3a85d7b4f3c831d1246a57a853a8e5cf_cryptolocker.exe
Size

75KB
MD5

3a85d7b4f3c831d1246a57a853a8e5cf
SHA1

ab255b1e8cc3027e1a34aaba88b08052bf342b35
SHA256

74a688f2c1dab558d14a5b8b2e2b6f2ca68c94ff53fe680966c2b8fdf5d82045
SHA512

453672435bfb9d421cf1e516c5be282224d3522b3a27e06b4e166538f699ada9d5fbd9f5ac93096cece51ee02b6545bc61f8c44000cf8532cdb734cc85fa8353
SSDEEP

1536:X6QFElP6n+gJQMOtEvwDpjBZYTjipvF2bx1rHsoLkR:X6a+SOtEvwDpjBZYvQd2q

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x000a00000001466c-10.dat	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

resource	yara_rule
behavioral1/files/0x000a00000001466c-10.dat	CryptoLocker_set1

Executes dropped EXE 1 IoCs

pid	Process
2256	asih.exe

Loads dropped DLL 1 IoCs

pid	Process
1084	2024-05-09_3a85d7b4f3c831d1246a57a853a8e5cf_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1084 wrote to memory of 2256	1084	2024-05-09_3a85d7b4f3c831d1246a57a853a8e5cf_cryptolocker.exe	28
PID 1084 wrote to memory of 2256	1084	2024-05-09_3a85d7b4f3c831d1246a57a853a8e5cf_cryptolocker.exe	28
PID 1084 wrote to memory of 2256	1084	2024-05-09_3a85d7b4f3c831d1246a57a853a8e5cf_cryptolocker.exe	28
PID 1084 wrote to memory of 2256	1084	2024-05-09_3a85d7b4f3c831d1246a57a853a8e5cf_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-05-09_3a85d7b4f3c831d1246a57a853a8e5cf_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-09_3a85d7b4f3c831d1246a57a853a8e5cf_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1084
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:2256

Network

DNS

emrlogistics.com

asih.exe

Remote address:

8.8.8.8:53

Request

emrlogistics.com

IN A

Response

emrlogistics.com

IN CNAME

traff-2.hugedomains.com

traff-2.hugedomains.com

IN CNAME

hdr-nlb5-4e815dd67a14bf7f.elb.us-east-2.amazonaws.com

hdr-nlb5-4e815dd67a14bf7f.elb.us-east-2.amazonaws.com

IN A

3.130.253.23

hdr-nlb5-4e815dd67a14bf7f.elb.us-east-2.amazonaws.com

IN A

3.130.204.160

3.130.253.23:443

emrlogistics.com

asih.exe

152 B
3
3.130.204.160:443

emrlogistics.com

asih.exe

152 B
3
3.130.253.23:443

emrlogistics.com

asih.exe

152 B
3
3.130.204.160:443

emrlogistics.com

asih.exe

152 B
3
3.130.253.23:443

emrlogistics.com

asih.exe

152 B
3
3.130.204.160:443

emrlogistics.com

asih.exe

152 B
3
3.130.253.23:443

emrlogistics.com

asih.exe

152 B
3
3.130.204.160:443

emrlogistics.com

asih.exe

52 B
1

8.8.8.8:53

emrlogistics.com

dns

asih.exe

62 B
192 B
1
1

DNS Request

emrlogistics.com

DNS Response

3.130.253.23

3.130.204.160

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
76KB

MD5
e712347deeb19a58e9afedef04493ac8

SHA1
24080d9891ce7caad2b190b9e9f87fd76ce1c25d

SHA256
898c13ab2f802dd91e12104b5e76bf1b8faae5bcc0db95aa25fab484a90ad1c5

SHA512
2b3648ca0e51b0e14653b994922211ad92d122c0e804b25eb15ba5295940f1874288087fd7c38e406efbb5abca7d43f53fa3b02d681afa1deb63c8ffa7745565

Download Submit
memory/1084-1-0x0000000000460000-0x0000000000466000-memory.dmp

Filesize
24KB

Download
memory/1084-0-0x0000000000420000-0x0000000000426000-memory.dmp

Filesize
24KB

Download
memory/1084-8-0x0000000000420000-0x0000000000426000-memory.dmp

Filesize
24KB

Download
memory/2256-15-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/2256-16-0x0000000000280000-0x0000000000286000-memory.dmp

Filesize
24KB

Download