3d95c66b66e6ed212f78136dc342e0f276fdfa0e59067190384a116b9cc41cd5

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27/09/2024, 08:29 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-27_8d555654fedb33946d5f85b2bd3ae002_cryptolocker.exe
Size

44KB
MD5

8d555654fedb33946d5f85b2bd3ae002
SHA1

6a93a1860b2125fa363a2c7148ec9ba95ba3d774
SHA256

3d95c66b66e6ed212f78136dc342e0f276fdfa0e59067190384a116b9cc41cd5
SHA512

769f2dd05ff27f5a089aa4be554e08e51bc573da591204e654e0a95c6810ac3fa7251aef60e7efdaa13d5ec03dfda6d7b4e37169c943bcb3d68be314568da013
SSDEEP

768:X6LsoEEeegiZPvEhHSG+gp/QtOOtEvwDpjBaac4HK/wSvuQTCyD/95WQS:X6QFElP6n+gJQMOtEvwDpjBsYK/fbDFA

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	2024-09-27_8d555654fedb33946d5f85b2bd3ae002_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
864	asih.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-27_8d555654fedb33946d5f85b2bd3ae002_cryptolocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	asih.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3516 wrote to memory of 864	3516	2024-09-27_8d555654fedb33946d5f85b2bd3ae002_cryptolocker.exe	82
PID 3516 wrote to memory of 864	3516	2024-09-27_8d555654fedb33946d5f85b2bd3ae002_cryptolocker.exe	82
PID 3516 wrote to memory of 864	3516	2024-09-27_8d555654fedb33946d5f85b2bd3ae002_cryptolocker.exe	82

C:\Users\Admin\AppData\Local\Temp\2024-09-27_8d555654fedb33946d5f85b2bd3ae002_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-27_8d555654fedb33946d5f85b2bd3ae002_cryptolocker.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3516
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:864

Network

DNS

emrlogistics.com

asih.exe

Remote address:

8.8.8.8:53

Request

emrlogistics.com

IN A

Response

emrlogistics.com

IN CNAME

traff-1.hugedomains.com

traff-1.hugedomains.com

IN CNAME

hdr-nlb9-41371129e8304c29.elb.us-east-1.amazonaws.com

hdr-nlb9-41371129e8304c29.elb.us-east-1.amazonaws.com

IN A

54.209.32.212

hdr-nlb9-41371129e8304c29.elb.us-east-1.amazonaws.com

IN A

52.71.57.184
DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

28.118.140.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

28.118.140.52.in-addr.arpa

IN PTR

Response
DNS

172.214.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.214.232.199.in-addr.arpa

IN PTR

Response
DNS

2.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

2.159.190.20.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

97.17.167.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

97.17.167.52.in-addr.arpa

IN PTR

Response
DNS

197.87.175.4.in-addr.arpa

Remote address:

8.8.8.8:53

Request

197.87.175.4.in-addr.arpa

IN PTR

Response
DNS

241.42.69.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

241.42.69.40.in-addr.arpa

IN PTR

Response
DNS

77.190.18.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

77.190.18.2.in-addr.arpa

IN PTR

Response

77.190.18.2.in-addr.arpa

IN PTR

a2-18-190-77deploystaticakamaitechnologiescom
DNS

48.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

48.229.111.52.in-addr.arpa

IN PTR

Response

54.209.32.212:443

emrlogistics.com

asih.exe

260 B
5
52.71.57.184:443

emrlogistics.com

asih.exe

260 B
5
54.209.32.212:443

emrlogistics.com

asih.exe

260 B
5
52.71.57.184:443

emrlogistics.com

asih.exe

260 B
5
54.209.32.212:443

emrlogistics.com

asih.exe

260 B
5
52.71.57.184:443

emrlogistics.com

asih.exe

260 B
5
54.209.32.212:443

emrlogistics.com

asih.exe

260 B
5
52.71.57.184:443

emrlogistics.com

asih.exe

104 B
2

8.8.8.8:53

emrlogistics.com

dns

asih.exe

62 B
192 B
1
1

DNS Request

emrlogistics.com

DNS Response

54.209.32.212

52.71.57.184
8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

28.118.140.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

28.118.140.52.in-addr.arpa
8.8.8.8:53

172.214.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.214.232.199.in-addr.arpa
8.8.8.8:53

2.159.190.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

2.159.190.20.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

97.17.167.52.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

97.17.167.52.in-addr.arpa
8.8.8.8:53

197.87.175.4.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

197.87.175.4.in-addr.arpa
8.8.8.8:53

241.42.69.40.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

241.42.69.40.in-addr.arpa
8.8.8.8:53

77.190.18.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

77.190.18.2.in-addr.arpa
8.8.8.8:53

48.229.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

48.229.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
45KB

MD5
ddd8c7b4bf7bb383042c270a09ee729e

SHA1
2d459b7a3ca88728283f45de0c589807a88ea1ca

SHA256
45fd836386d69eb843dd282fe88dbee7734bfe1e162e255440d3d4f17b6a22f0

SHA512
5b2a6ad57f523b6c39c7dbabba84662870e1cb5411515d14c1d04664715f133fb753c59b6bf40e702f6eddfc319db5a6bffa965c383e5c7d5664892de88f2ae4

Download Submit
memory/864-17-0x00000000006B0000-0x00000000006B6000-memory.dmp

Filesize
24KB

Download
memory/864-23-0x0000000000690000-0x0000000000696000-memory.dmp

Filesize
24KB

Download
memory/3516-0-0x00000000005F0000-0x00000000005F6000-memory.dmp

Filesize
24KB

Download
memory/3516-1-0x00000000005F0000-0x00000000005F6000-memory.dmp

Filesize
24KB

Download
memory/3516-2-0x0000000000610000-0x0000000000616000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.