Malware Analysis Report

2025-01-18 14:34

Sample ID 240613-d66j5swglj
Target 2024-06-13_74db0dfcf0881cca7d7f6e7391448584_cryptolocker
SHA256 5d5a6efa8277419efedc7489ee45f363af5d38b4f15e330a08b7902f7bb5531c
Tags
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5d5a6efa8277419efedc7489ee45f363af5d38b4f15e330a08b7902f7bb5531c

Threat Level: Known bad

The file 2024-06-13_74db0dfcf0881cca7d7f6e7391448584_cryptolocker was found to be: Known bad.

Malicious Activity Summary


Detection of CryptoLocker Variants

UPX dump on OEP (original entry point)

UPX dump on OEP (original entry point)

Detection of CryptoLocker Variants

Detection of Cryptolocker Samples

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 03:38

Signatures

Detection of CryptoLocker Variants

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 03:38

Reported

2024-06-13 03:40

Platform

win7-20240221-en

Max time kernel

148s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_74db0dfcf0881cca7d7f6e7391448584_cryptolocker.exe"

Signatures

Detection of CryptoLocker Variants

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detection of Cryptolocker Samples

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\asih.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_74db0dfcf0881cca7d7f6e7391448584_cryptolocker.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-13_74db0dfcf0881cca7d7f6e7391448584_cryptolocker.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_74db0dfcf0881cca7d7f6e7391448584_cryptolocker.exe"

C:\Users\Admin\AppData\Local\Temp\asih.exe

"C:\Users\Admin\AppData\Local\Temp\asih.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 emrlogistics.com udp
US 3.18.7.81:443 emrlogistics.com tcp
US 3.19.116.195:443 emrlogistics.com tcp
US 3.18.7.81:443 emrlogistics.com tcp
US 3.19.116.195:443 emrlogistics.com tcp
US 3.18.7.81:443 emrlogistics.com tcp
US 3.19.116.195:443 emrlogistics.com tcp
US 3.18.7.81:443 emrlogistics.com tcp
US 3.19.116.195:443 emrlogistics.com tcp

Files

memory/1620-0-0x0000000000500000-0x0000000000510000-memory.dmp

memory/1620-1-0x00000000002C0000-0x00000000002C6000-memory.dmp

memory/1620-2-0x00000000004A0000-0x00000000004A6000-memory.dmp

memory/1620-9-0x00000000002C0000-0x00000000002C6000-memory.dmp

\Users\Admin\AppData\Local\Temp\asih.exe

MD5 ed85a38d83d761f68319e95d082b42fe
SHA1 db2c975d80c0acce3a0e6b201041164d5b696a2f
SHA256 c79d6b946066bc23ae6cc64a0a0b6390e272527dfd89cae56ca7dab1ee8745fc
SHA512 553b50a29c21469f8d073f82ddc4df4c534f6723e1837860fe1f7b4702a05f20d63a7bb15e9c222801c3ebda5841ecf236ff7a935fc908f173fef13339c7c51e

memory/1620-16-0x0000000000500000-0x0000000000510000-memory.dmp

memory/3028-17-0x0000000000500000-0x0000000000510000-memory.dmp

memory/3028-19-0x0000000000290000-0x0000000000296000-memory.dmp

memory/3028-26-0x0000000000240000-0x0000000000246000-memory.dmp

memory/3028-27-0x0000000000500000-0x0000000000510000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 03:38

Reported

2024-06-13 03:40

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_74db0dfcf0881cca7d7f6e7391448584_cryptolocker.exe"

Signatures

Detection of CryptoLocker Variants

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detection of Cryptolocker Samples

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2024-06-13_74db0dfcf0881cca7d7f6e7391448584_cryptolocker.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\asih.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-13_74db0dfcf0881cca7d7f6e7391448584_cryptolocker.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_74db0dfcf0881cca7d7f6e7391448584_cryptolocker.exe"

C:\Users\Admin\AppData\Local\Temp\asih.exe

"C:\Users\Admin\AppData\Local\Temp\asih.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 emrlogistics.com udp
US 8.8.8.8:53 emrlogistics.com udp
US 8.8.8.8:53 emrlogistics.com udp
US 8.8.8.8:53 emrlogistics.com udp
US 8.8.8.8:53 emrlogistics.com udp
US 8.8.8.8:53 emrlogistics.com udp
US 8.8.8.8:53 emrlogistics.com udp
US 8.8.8.8:53 emrlogistics.com udp
US 8.8.8.8:53 emrlogistics.com udp
US 8.8.8.8:53 emrlogistics.com udp
US 8.8.8.8:53 emrlogistics.com udp
US 8.8.8.8:53 emrlogistics.com udp
US 8.8.8.8:53 emrlogistics.com udp

Files

memory/216-0-0x0000000000500000-0x0000000000510000-memory.dmp

memory/216-1-0x00000000004D0000-0x00000000004D6000-memory.dmp

memory/216-2-0x00000000004F0000-0x00000000004F6000-memory.dmp

memory/216-9-0x00000000004D0000-0x00000000004D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\asih.exe

MD5 ed85a38d83d761f68319e95d082b42fe
SHA1 db2c975d80c0acce3a0e6b201041164d5b696a2f
SHA256 c79d6b946066bc23ae6cc64a0a0b6390e272527dfd89cae56ca7dab1ee8745fc
SHA512 553b50a29c21469f8d073f82ddc4df4c534f6723e1837860fe1f7b4702a05f20d63a7bb15e9c222801c3ebda5841ecf236ff7a935fc908f173fef13339c7c51e

memory/216-17-0x0000000000500000-0x0000000000510000-memory.dmp

memory/2376-18-0x0000000000500000-0x0000000000510000-memory.dmp

memory/2376-20-0x00000000005E0000-0x00000000005E6000-memory.dmp

memory/2376-21-0x00000000005C0000-0x00000000005C6000-memory.dmp

memory/2376-27-0x0000000000500000-0x0000000000510000-memory.dmp