Overview

overview

10

Static

static

10

2024-06-09...er.exe

windows7-x64

9

2024-06-09...er.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/06/2024, 03:19 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-06-09_f04a84c03a201bb5e3c5c6a039e4f3c5_cryptolocker.exe

  • Size

    50KB

  • MD5

    f04a84c03a201bb5e3c5c6a039e4f3c5

  • SHA1

    bf786d5826775bc966e98933b313ce9c99b0ce0d

  • SHA256

    15d799f4d08ad4ea32db3a9342d6cd2479dc7102ce6eebe2213906af2e4246fc

  • SHA512

    e4bd22e7d505e2db9969264972ed8b7fe1d21589a126314d58bee9e88770edfe2e45bf84ffa63f56bea53573a0d201f20b1669c21bc22aa5a29644c4508e0486

  • SSDEEP

    768:X6LsoEEeegiZPvEhHSG+gp/BtOOtEvwDpjBVaD3E09vdXfj:X6QFElP6n+gJBMOtEvwDpjBtEdXfj

Score
9/10

Malware Config

Signatures

  • Detection of CryptoLocker Variants 1 IoCs
  • Detection of Cryptolocker Samples 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-09_f04a84c03a201bb5e3c5c6a039e4f3c5_cryptolocker.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-09_f04a84c03a201bb5e3c5c6a039e4f3c5_cryptolocker.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4556
    • C:\Users\Admin\AppData\Local\Temp\asih.exe
      "C:\Users\Admin\AppData\Local\Temp\asih.exe"
      2⤵
      • Executes dropped EXE
      PID:4212

Network

  • flag-us
    DNS
    emrlogistics.com
    asih.exe
    Remote address:
    8.8.8.8:53
    Request
    emrlogistics.com
    IN A
    Response
    emrlogistics.com
    IN CNAME
    traff-4.hugedomains.com
    traff-4.hugedomains.com
    IN CNAME
    hdr-nlb8-39c51fa8696874ee.elb.us-east-1.amazonaws.com
    hdr-nlb8-39c51fa8696874ee.elb.us-east-1.amazonaws.com
    IN A
    52.86.6.113
    hdr-nlb8-39c51fa8696874ee.elb.us-east-1.amazonaws.com
    IN A
    3.94.41.167
  • flag-us
    DNS
    104.219.191.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    104.219.191.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    73.31.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    73.31.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    196.249.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    196.249.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    157.123.68.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    157.123.68.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    171.39.242.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    171.39.242.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    29.243.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    29.243.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    73.239.69.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    73.239.69.13.in-addr.arpa
    IN PTR
    Response
  • 52.86.6.113:443
    emrlogistics.com
    asih.exe
    260 B
     5
  • 3.94.41.167:443
    emrlogistics.com
    asih.exe
    260 B
     5
  • 52.86.6.113:443
    emrlogistics.com
    asih.exe
    260 B
     5
  • 3.94.41.167:443
    emrlogistics.com
    asih.exe
    260 B
     5
  • 52.86.6.113:443
    emrlogistics.com
    asih.exe
    260 B
     5
  • 3.94.41.167:443
    emrlogistics.com
    asih.exe
    260 B
     5
  • 52.86.6.113:443
    emrlogistics.com
    asih.exe
    260 B
     5
  • 3.94.41.167:443
    emrlogistics.com
    asih.exe
    104 B
     2
  • 8.8.8.8:53
    emrlogistics.com
    dns
    asih.exe
    62 B
     192 B
     1
    1

    DNS Request

    emrlogistics.com

    DNS Response

    52.86.6.113
    3.94.41.167

  • 8.8.8.8:53
    104.219.191.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    104.219.191.52.in-addr.arpa

  • 8.8.8.8:53
    73.31.126.40.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    73.31.126.40.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    196.249.167.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    196.249.167.52.in-addr.arpa

  • 8.8.8.8:53
    157.123.68.40.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    157.123.68.40.in-addr.arpa

  • 8.8.8.8:53
    171.39.242.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    171.39.242.20.in-addr.arpa

  • 8.8.8.8:53
    29.243.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    29.243.111.52.in-addr.arpa

  • 8.8.8.8:53
    73.239.69.13.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    73.239.69.13.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\asih.exe
    Filesize

    50KB

    MD5

    f503e13b4569dfda3994f09e5b5e10ea

    SHA1

    eace9a163deb30251b589112624d53c6cfda36d8

    SHA256

    749c0590f97d26286508e52c377c1923ea7f694961886e02ade3c7e2d4e69d84

    SHA512

    531351ca97c553a6b415a6b59110daefa37265a3a0932d7e09909a8eda21fa51c1e43659a917445ef39b14255cad243a112302a866fe81963d3391ca45069d8a

    Download Submit

  • memory/4212-17-0x00000000004F0000-0x00000000004F6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/4212-23-0x00000000004D0000-0x00000000004D6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/4556-0-0x00000000006B0000-0x00000000006B6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/4556-1-0x00000000006D0000-0x00000000006D6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/4556-8-0x00000000006B0000-0x00000000006B6000-memory.dmp

    Filesize

    24KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.