Malware Analysis Report

2025-06-16 07:26

Sample ID 240602-feey8abe5v
Target 2024-06-02_c6e2575af2bc37db023551ce04606835_cryptolocker
SHA256 9f20d4f5908416e71943749e75a4b08fca964c87e6a93a233b81cdf792fd4f65
Tags
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9f20d4f5908416e71943749e75a4b08fca964c87e6a93a233b81cdf792fd4f65

Threat Level: Known bad

The file 2024-06-02_c6e2575af2bc37db023551ce04606835_cryptolocker was found to be: Known bad.

Malicious Activity Summary


Detection of Cryptolocker Samples

Detection of CryptoLocker Variants

Detection of Cryptolocker Samples

Detection of CryptoLocker Variants

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-02 04:46

Signatures

Detection of CryptoLocker Variants

Description Indicator Process Target
N/A N/A N/A N/A

Detection of Cryptolocker Samples

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-02 04:46

Reported

2024-06-02 04:49

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-02_c6e2575af2bc37db023551ce04606835_cryptolocker.exe"

Signatures

Detection of CryptoLocker Variants

Description Indicator Process Target
N/A N/A N/A N/A

Detection of Cryptolocker Samples

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2024-06-02_c6e2575af2bc37db023551ce04606835_cryptolocker.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\asih.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-02_c6e2575af2bc37db023551ce04606835_cryptolocker.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-02_c6e2575af2bc37db023551ce04606835_cryptolocker.exe"

C:\Users\Admin\AppData\Local\Temp\asih.exe

"C:\Users\Admin\AppData\Local\Temp\asih.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 emrlogistics.com udp
US 3.140.13.188:443 emrlogistics.com tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 18.119.154.66:443 emrlogistics.com tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 3.140.13.188:443 emrlogistics.com tcp
US 18.119.154.66:443 emrlogistics.com tcp
US 3.140.13.188:443 emrlogistics.com tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 18.119.154.66:443 emrlogistics.com tcp
US 3.140.13.188:443 emrlogistics.com tcp
US 18.119.154.66:443 emrlogistics.com tcp
US 8.8.8.8:53 udp

Files

memory/3220-0-0x00000000005A0000-0x00000000005A6000-memory.dmp

memory/3220-1-0x00000000005C0000-0x00000000005C6000-memory.dmp

memory/3220-8-0x00000000005A0000-0x00000000005A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\asih.exe

MD5 ecd2085322991c5e2c7e82d3ecaab50b
SHA1 1fd503434b389d90eb6dcbdb16641df857e24fd1
SHA256 1457c61b6be61d43d5abf9d32ccb1f7c50cc319061ec9cd9f8e4470c4352d92f
SHA512 bb7346da0dbf6280e0177aad9cdedd670323967c5ec54c4d18c07ce367dab10a9e191fff086b854c93bb4057a152faa72f6d1ec843418081536457c14898f185

memory/348-17-0x00000000006D0000-0x00000000006D6000-memory.dmp

memory/348-23-0x00000000006A0000-0x00000000006A6000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-02 04:46

Reported

2024-06-02 04:49

Platform

win7-20240419-en

Max time kernel

147s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-02_c6e2575af2bc37db023551ce04606835_cryptolocker.exe"

Signatures

Detection of CryptoLocker Variants

Description Indicator Process Target
N/A N/A N/A N/A

Detection of Cryptolocker Samples

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\asih.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_c6e2575af2bc37db023551ce04606835_cryptolocker.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-02_c6e2575af2bc37db023551ce04606835_cryptolocker.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-02_c6e2575af2bc37db023551ce04606835_cryptolocker.exe"

C:\Users\Admin\AppData\Local\Temp\asih.exe

"C:\Users\Admin\AppData\Local\Temp\asih.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 emrlogistics.com udp
US 18.119.154.66:443 emrlogistics.com tcp
US 3.140.13.188:443 emrlogistics.com tcp
US 18.119.154.66:443 emrlogistics.com tcp
US 3.140.13.188:443 emrlogistics.com tcp
US 18.119.154.66:443 emrlogistics.com tcp
US 3.140.13.188:443 emrlogistics.com tcp
US 18.119.154.66:443 emrlogistics.com tcp
US 3.140.13.188:443 emrlogistics.com tcp

Files

memory/3000-0-0x0000000000240000-0x0000000000246000-memory.dmp

memory/3000-1-0x0000000000310000-0x0000000000316000-memory.dmp

memory/3000-8-0x0000000000240000-0x0000000000246000-memory.dmp

\Users\Admin\AppData\Local\Temp\asih.exe

MD5 ecd2085322991c5e2c7e82d3ecaab50b
SHA1 1fd503434b389d90eb6dcbdb16641df857e24fd1
SHA256 1457c61b6be61d43d5abf9d32ccb1f7c50cc319061ec9cd9f8e4470c4352d92f
SHA512 bb7346da0dbf6280e0177aad9cdedd670323967c5ec54c4d18c07ce367dab10a9e191fff086b854c93bb4057a152faa72f6d1ec843418081536457c14898f185

memory/2984-22-0x00000000002C0000-0x00000000002C6000-memory.dmp