Malware Analysis Report

2025-01-18 12:51

Sample ID 240613-eejrqsxarp
Target 2024-06-13_d38fb82b8d09bb2ba381b0444f53fc3f_cryptolocker
SHA256 b4ac22c0f747068ec35ceaabba3edfb7b8a7fdc1996787003b925ec6ae6dcce2
Tags
upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b4ac22c0f747068ec35ceaabba3edfb7b8a7fdc1996787003b925ec6ae6dcce2

Threat Level: Known bad

The file 2024-06-13_d38fb82b8d09bb2ba381b0444f53fc3f_cryptolocker was found to be: Known bad.

Malicious Activity Summary

upx

UPX dump on OEP (original entry point)

Detection of Cryptolocker Samples

Detection of CryptoLocker Variants

Detection of Cryptolocker Samples

UPX dump on OEP (original entry point)

Detection of CryptoLocker Variants

Executes dropped EXE

Loads dropped DLL

UPX packed file

Checks computer location settings

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 03:51

Signatures

Detection of CryptoLocker Variants

Description Indicator Process Target
N/A N/A N/A N/A

Detection of Cryptolocker Samples

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 03:51

Reported

2024-06-13 03:53

Platform

win7-20240611-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_d38fb82b8d09bb2ba381b0444f53fc3f_cryptolocker.exe"

Signatures

Detection of CryptoLocker Variants

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detection of Cryptolocker Samples

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\asih.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_d38fb82b8d09bb2ba381b0444f53fc3f_cryptolocker.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-13_d38fb82b8d09bb2ba381b0444f53fc3f_cryptolocker.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_d38fb82b8d09bb2ba381b0444f53fc3f_cryptolocker.exe"

C:\Users\Admin\AppData\Local\Temp\asih.exe

"C:\Users\Admin\AppData\Local\Temp\asih.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 emrlogistics.com udp
US 52.71.57.184:443 emrlogistics.com tcp
US 54.209.32.212:443 emrlogistics.com tcp
US 52.71.57.184:443 emrlogistics.com tcp
US 54.209.32.212:443 emrlogistics.com tcp
US 52.71.57.184:443 emrlogistics.com tcp
US 54.209.32.212:443 emrlogistics.com tcp
US 52.71.57.184:443 emrlogistics.com tcp
US 54.209.32.212:443 emrlogistics.com tcp

Files

memory/2248-0-0x0000000000500000-0x0000000000510000-memory.dmp

memory/2248-1-0x00000000002D0000-0x00000000002D6000-memory.dmp

memory/2248-3-0x0000000000300000-0x0000000000306000-memory.dmp

memory/2248-2-0x00000000002D0000-0x00000000002D6000-memory.dmp

\Users\Admin\AppData\Local\Temp\asih.exe

MD5 33b6fb418af538acdd8a52940b1535f7
SHA1 174356feee1466b7bac65a29ea8ebfde9ce5559a
SHA256 f851d435b7be29f81409897f86cbcc3af2434d44437276e417219c1db2a8ea80
SHA512 4f9974cace888d36c5f8972be29dc7d881aea8c6f899d7eba5eafc1311130083a9d9a900a5031695a31bab612041b4fd262cc9e83dc7249e7a117ee7d12d06f6

memory/2248-13-0x00000000024C0000-0x00000000024D0000-memory.dmp

memory/2248-16-0x0000000000500000-0x0000000000510000-memory.dmp

memory/2328-17-0x0000000000500000-0x0000000000510000-memory.dmp

memory/2328-19-0x0000000000240000-0x0000000000246000-memory.dmp

memory/2328-20-0x0000000000280000-0x0000000000286000-memory.dmp

memory/2328-27-0x0000000000500000-0x0000000000510000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 03:51

Reported

2024-06-13 03:53

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_d38fb82b8d09bb2ba381b0444f53fc3f_cryptolocker.exe"

Signatures

Detection of CryptoLocker Variants

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detection of Cryptolocker Samples

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2024-06-13_d38fb82b8d09bb2ba381b0444f53fc3f_cryptolocker.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\asih.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-13_d38fb82b8d09bb2ba381b0444f53fc3f_cryptolocker.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_d38fb82b8d09bb2ba381b0444f53fc3f_cryptolocker.exe"

C:\Users\Admin\AppData\Local\Temp\asih.exe

"C:\Users\Admin\AppData\Local\Temp\asih.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 emrlogistics.com udp
US 8.8.8.8:53 emrlogistics.com udp
US 8.8.8.8:53 emrlogistics.com udp
US 8.8.8.8:53 emrlogistics.com udp
US 8.8.8.8:53 emrlogistics.com udp
US 8.8.8.8:53 emrlogistics.com udp
US 8.8.8.8:53 emrlogistics.com udp
US 8.8.8.8:53 emrlogistics.com udp
US 8.8.8.8:53 emrlogistics.com udp
US 8.8.8.8:53 emrlogistics.com udp
US 8.8.8.8:53 emrlogistics.com udp
US 8.8.8.8:53 emrlogistics.com udp
US 8.8.8.8:53 emrlogistics.com udp

Files

memory/4808-0-0x0000000000500000-0x0000000000510000-memory.dmp

memory/4808-1-0x0000000000830000-0x0000000000836000-memory.dmp

memory/4808-3-0x00000000020F0000-0x00000000020F6000-memory.dmp

memory/4808-9-0x0000000000830000-0x0000000000836000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\asih.exe

MD5 33b6fb418af538acdd8a52940b1535f7
SHA1 174356feee1466b7bac65a29ea8ebfde9ce5559a
SHA256 f851d435b7be29f81409897f86cbcc3af2434d44437276e417219c1db2a8ea80
SHA512 4f9974cace888d36c5f8972be29dc7d881aea8c6f899d7eba5eafc1311130083a9d9a900a5031695a31bab612041b4fd262cc9e83dc7249e7a117ee7d12d06f6

memory/4808-17-0x0000000000500000-0x0000000000510000-memory.dmp

memory/2924-19-0x00000000004F0000-0x00000000004F6000-memory.dmp

memory/2924-25-0x00000000004D0000-0x00000000004D6000-memory.dmp

memory/2924-26-0x0000000000500000-0x0000000000510000-memory.dmp