Analysis Overview
SHA256
5d5a6efa8277419efedc7489ee45f363af5d38b4f15e330a08b7902f7bb5531c
Threat Level: Known bad
The file 2024-06-13_74db0dfcf0881cca7d7f6e7391448584_cryptolocker was found to be: Known bad.
Malicious Activity Summary
Detection of CryptoLocker Variants
UPX dump on OEP (original entry point)
UPX dump on OEP (original entry point)
Detection of CryptoLocker Variants
Detection of Cryptolocker Samples
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-13 03:38
Signatures
Detection of CryptoLocker Variants
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 03:38
Reported
2024-06-13 03:40
Platform
win7-20240221-en
Max time kernel
148s
Max time network
149s
Command Line
Signatures
Detection of CryptoLocker Variants
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detection of Cryptolocker Samples
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\asih.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-13_74db0dfcf0881cca7d7f6e7391448584_cryptolocker.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1620 wrote to memory of 3028 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-13_74db0dfcf0881cca7d7f6e7391448584_cryptolocker.exe | C:\Users\Admin\AppData\Local\Temp\asih.exe |
| PID 1620 wrote to memory of 3028 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-13_74db0dfcf0881cca7d7f6e7391448584_cryptolocker.exe | C:\Users\Admin\AppData\Local\Temp\asih.exe |
| PID 1620 wrote to memory of 3028 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-13_74db0dfcf0881cca7d7f6e7391448584_cryptolocker.exe | C:\Users\Admin\AppData\Local\Temp\asih.exe |
| PID 1620 wrote to memory of 3028 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-13_74db0dfcf0881cca7d7f6e7391448584_cryptolocker.exe | C:\Users\Admin\AppData\Local\Temp\asih.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-13_74db0dfcf0881cca7d7f6e7391448584_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-13_74db0dfcf0881cca7d7f6e7391448584_cryptolocker.exe"
C:\Users\Admin\AppData\Local\Temp\asih.exe
"C:\Users\Admin\AppData\Local\Temp\asih.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | emrlogistics.com | udp |
| US | 3.18.7.81:443 | emrlogistics.com | tcp |
| US | 3.19.116.195:443 | emrlogistics.com | tcp |
| US | 3.18.7.81:443 | emrlogistics.com | tcp |
| US | 3.19.116.195:443 | emrlogistics.com | tcp |
| US | 3.18.7.81:443 | emrlogistics.com | tcp |
| US | 3.19.116.195:443 | emrlogistics.com | tcp |
| US | 3.18.7.81:443 | emrlogistics.com | tcp |
| US | 3.19.116.195:443 | emrlogistics.com | tcp |
Files
memory/1620-0-0x0000000000500000-0x0000000000510000-memory.dmp
memory/1620-1-0x00000000002C0000-0x00000000002C6000-memory.dmp
memory/1620-2-0x00000000004A0000-0x00000000004A6000-memory.dmp
memory/1620-9-0x00000000002C0000-0x00000000002C6000-memory.dmp
\Users\Admin\AppData\Local\Temp\asih.exe
| MD5 | ed85a38d83d761f68319e95d082b42fe |
| SHA1 | db2c975d80c0acce3a0e6b201041164d5b696a2f |
| SHA256 | c79d6b946066bc23ae6cc64a0a0b6390e272527dfd89cae56ca7dab1ee8745fc |
| SHA512 | 553b50a29c21469f8d073f82ddc4df4c534f6723e1837860fe1f7b4702a05f20d63a7bb15e9c222801c3ebda5841ecf236ff7a935fc908f173fef13339c7c51e |
memory/1620-16-0x0000000000500000-0x0000000000510000-memory.dmp
memory/3028-17-0x0000000000500000-0x0000000000510000-memory.dmp
memory/3028-19-0x0000000000290000-0x0000000000296000-memory.dmp
memory/3028-26-0x0000000000240000-0x0000000000246000-memory.dmp
memory/3028-27-0x0000000000500000-0x0000000000510000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 03:38
Reported
2024-06-13 03:40
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Detection of CryptoLocker Variants
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detection of Cryptolocker Samples
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2024-06-13_74db0dfcf0881cca7d7f6e7391448584_cryptolocker.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\asih.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 216 wrote to memory of 2376 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-13_74db0dfcf0881cca7d7f6e7391448584_cryptolocker.exe | C:\Users\Admin\AppData\Local\Temp\asih.exe |
| PID 216 wrote to memory of 2376 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-13_74db0dfcf0881cca7d7f6e7391448584_cryptolocker.exe | C:\Users\Admin\AppData\Local\Temp\asih.exe |
| PID 216 wrote to memory of 2376 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-13_74db0dfcf0881cca7d7f6e7391448584_cryptolocker.exe | C:\Users\Admin\AppData\Local\Temp\asih.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-13_74db0dfcf0881cca7d7f6e7391448584_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-13_74db0dfcf0881cca7d7f6e7391448584_cryptolocker.exe"
C:\Users\Admin\AppData\Local\Temp\asih.exe
"C:\Users\Admin\AppData\Local\Temp\asih.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | emrlogistics.com | udp |
| US | 8.8.8.8:53 | emrlogistics.com | udp |
| US | 8.8.8.8:53 | emrlogistics.com | udp |
| US | 8.8.8.8:53 | emrlogistics.com | udp |
| US | 8.8.8.8:53 | emrlogistics.com | udp |
| US | 8.8.8.8:53 | emrlogistics.com | udp |
| US | 8.8.8.8:53 | emrlogistics.com | udp |
| US | 8.8.8.8:53 | emrlogistics.com | udp |
| US | 8.8.8.8:53 | emrlogistics.com | udp |
| US | 8.8.8.8:53 | emrlogistics.com | udp |
| US | 8.8.8.8:53 | emrlogistics.com | udp |
| US | 8.8.8.8:53 | emrlogistics.com | udp |
| US | 8.8.8.8:53 | emrlogistics.com | udp |
Files
memory/216-0-0x0000000000500000-0x0000000000510000-memory.dmp
memory/216-1-0x00000000004D0000-0x00000000004D6000-memory.dmp
memory/216-2-0x00000000004F0000-0x00000000004F6000-memory.dmp
memory/216-9-0x00000000004D0000-0x00000000004D6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\asih.exe
| MD5 | ed85a38d83d761f68319e95d082b42fe |
| SHA1 | db2c975d80c0acce3a0e6b201041164d5b696a2f |
| SHA256 | c79d6b946066bc23ae6cc64a0a0b6390e272527dfd89cae56ca7dab1ee8745fc |
| SHA512 | 553b50a29c21469f8d073f82ddc4df4c534f6723e1837860fe1f7b4702a05f20d63a7bb15e9c222801c3ebda5841ecf236ff7a935fc908f173fef13339c7c51e |
memory/216-17-0x0000000000500000-0x0000000000510000-memory.dmp
memory/2376-18-0x0000000000500000-0x0000000000510000-memory.dmp
memory/2376-20-0x00000000005E0000-0x00000000005E6000-memory.dmp
memory/2376-21-0x00000000005C0000-0x00000000005C6000-memory.dmp
memory/2376-27-0x0000000000500000-0x0000000000510000-memory.dmp