Malware Analysis Report

2025-01-18 13:34

Sample ID 240613-dxfx5awdpn
Target 2024-06-13_047ed4aecde414a9276158d9f53ae710_cryptolocker
SHA256 d819fd7adc58b073c6ff0b2b43e0d7e9de83f13c280af8d87a2a2636e0e4afb6
Tags
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d819fd7adc58b073c6ff0b2b43e0d7e9de83f13c280af8d87a2a2636e0e4afb6

Threat Level: Known bad

The file 2024-06-13_047ed4aecde414a9276158d9f53ae710_cryptolocker was found to be: Known bad.

Malicious Activity Summary


Detection of CryptoLocker Variants

Detection of Cryptolocker Samples

Detection of CryptoLocker Variants

Detection of Cryptolocker Samples

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 03:23

Signatures

Detection of CryptoLocker Variants

Description Indicator Process Target
N/A N/A N/A N/A

Detection of Cryptolocker Samples

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 03:23

Reported

2024-06-13 03:25

Platform

win7-20240419-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_047ed4aecde414a9276158d9f53ae710_cryptolocker.exe"

Signatures

Detection of CryptoLocker Variants

Description Indicator Process Target
N/A N/A N/A N/A

Detection of Cryptolocker Samples

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\asih.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_047ed4aecde414a9276158d9f53ae710_cryptolocker.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-13_047ed4aecde414a9276158d9f53ae710_cryptolocker.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_047ed4aecde414a9276158d9f53ae710_cryptolocker.exe"

C:\Users\Admin\AppData\Local\Temp\asih.exe

"C:\Users\Admin\AppData\Local\Temp\asih.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 emrlogistics.com udp
US 8.8.8.8:53 emrlogistics.com udp
US 8.8.8.8:53 emrlogistics.com udp
US 8.8.8.8:53 emrlogistics.com udp
US 8.8.8.8:53 emrlogistics.com udp
US 8.8.8.8:53 emrlogistics.com udp
US 8.8.8.8:53 emrlogistics.com udp
US 8.8.8.8:53 emrlogistics.com udp
US 8.8.8.8:53 emrlogistics.com udp
US 8.8.8.8:53 emrlogistics.com udp
US 8.8.8.8:53 emrlogistics.com udp
US 8.8.8.8:53 emrlogistics.com udp
US 8.8.8.8:53 emrlogistics.com udp

Files

memory/2312-0-0x00000000001C0000-0x00000000001C6000-memory.dmp

memory/2312-1-0x00000000003F0000-0x00000000003F6000-memory.dmp

memory/2312-8-0x00000000001C0000-0x00000000001C6000-memory.dmp

\Users\Admin\AppData\Local\Temp\asih.exe

MD5 68ff1b6441c1a3e446a7463dcb041d1f
SHA1 84d68fc4c39f4a3abaf77e5ccba1be5941e606af
SHA256 774c70728501f1985e8464ee7d23c11a67ae21b7a2cd3f1cafe98ab3c9689a6f
SHA512 e67b4b7ab0c1427fd3086329ac7a00577b5a0fdd73e99a8bc8cbdc38c5e9775991178b7b9a3fd41f11d8192dd1e1c2e7dd6a1776eea04b7cf8d2a7ce44b05713

memory/2164-22-0x0000000000240000-0x0000000000246000-memory.dmp

memory/2164-15-0x0000000000310000-0x0000000000316000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 03:23

Reported

2024-06-13 03:25

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_047ed4aecde414a9276158d9f53ae710_cryptolocker.exe"

Signatures

Detection of CryptoLocker Variants

Description Indicator Process Target
N/A N/A N/A N/A

Detection of Cryptolocker Samples

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2024-06-13_047ed4aecde414a9276158d9f53ae710_cryptolocker.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\asih.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-13_047ed4aecde414a9276158d9f53ae710_cryptolocker.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_047ed4aecde414a9276158d9f53ae710_cryptolocker.exe"

C:\Users\Admin\AppData\Local\Temp\asih.exe

"C:\Users\Admin\AppData\Local\Temp\asih.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 emrlogistics.com udp
US 8.8.8.8:53 emrlogistics.com udp
US 8.8.8.8:53 emrlogistics.com udp
US 8.8.8.8:53 emrlogistics.com udp
US 8.8.8.8:53 emrlogistics.com udp
US 8.8.8.8:53 emrlogistics.com udp
US 8.8.8.8:53 emrlogistics.com udp
US 8.8.8.8:53 emrlogistics.com udp
US 8.8.8.8:53 emrlogistics.com udp
US 8.8.8.8:53 emrlogistics.com udp
US 8.8.8.8:53 emrlogistics.com udp
US 8.8.8.8:53 emrlogistics.com udp
US 8.8.8.8:53 emrlogistics.com udp

Files

memory/3592-0-0x00000000006B0000-0x00000000006B6000-memory.dmp

memory/3592-1-0x0000000002100000-0x0000000002106000-memory.dmp

memory/3592-8-0x00000000006B0000-0x00000000006B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\asih.exe

MD5 68ff1b6441c1a3e446a7463dcb041d1f
SHA1 84d68fc4c39f4a3abaf77e5ccba1be5941e606af
SHA256 774c70728501f1985e8464ee7d23c11a67ae21b7a2cd3f1cafe98ab3c9689a6f
SHA512 e67b4b7ab0c1427fd3086329ac7a00577b5a0fdd73e99a8bc8cbdc38c5e9775991178b7b9a3fd41f11d8192dd1e1c2e7dd6a1776eea04b7cf8d2a7ce44b05713

memory/2308-17-0x00000000006D0000-0x00000000006D6000-memory.dmp

memory/2308-23-0x0000000000660000-0x0000000000666000-memory.dmp