Analysis Overview
SHA256
17239b2bab05a6a102de10d5b4679ddd22ea848cbb1aca16f30e09348fcb7aaa
Threat Level: Shows suspicious behavior
The file 2024-11-09_b7bae77af37da0ef7de4a892d1451aef_cryptolocker was found to be: Shows suspicious behavior.
Malicious Activity Summary
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
UPX packed file
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 18:43
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 18:43
Reported
2024-11-09 18:45
Platform
win7-20240903-en
Max time kernel
140s
Max time network
142s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\asih.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-09_b7bae77af37da0ef7de4a892d1451aef_cryptolocker.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-09_b7bae77af37da0ef7de4a892d1451aef_cryptolocker.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\asih.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2352 wrote to memory of 1928 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-09_b7bae77af37da0ef7de4a892d1451aef_cryptolocker.exe | C:\Users\Admin\AppData\Local\Temp\asih.exe |
| PID 2352 wrote to memory of 1928 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-09_b7bae77af37da0ef7de4a892d1451aef_cryptolocker.exe | C:\Users\Admin\AppData\Local\Temp\asih.exe |
| PID 2352 wrote to memory of 1928 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-09_b7bae77af37da0ef7de4a892d1451aef_cryptolocker.exe | C:\Users\Admin\AppData\Local\Temp\asih.exe |
| PID 2352 wrote to memory of 1928 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-09_b7bae77af37da0ef7de4a892d1451aef_cryptolocker.exe | C:\Users\Admin\AppData\Local\Temp\asih.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-11-09_b7bae77af37da0ef7de4a892d1451aef_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-09_b7bae77af37da0ef7de4a892d1451aef_cryptolocker.exe"
C:\Users\Admin\AppData\Local\Temp\asih.exe
"C:\Users\Admin\AppData\Local\Temp\asih.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | emrlogistics.com | udp |
| US | 3.140.13.188:443 | emrlogistics.com | tcp |
| US | 18.119.154.66:443 | emrlogistics.com | tcp |
| US | 3.140.13.188:443 | emrlogistics.com | tcp |
| US | 18.119.154.66:443 | emrlogistics.com | tcp |
| US | 3.140.13.188:443 | emrlogistics.com | tcp |
| US | 18.119.154.66:443 | emrlogistics.com | tcp |
| US | 3.140.13.188:443 | emrlogistics.com | tcp |
Files
memory/2352-0-0x0000000000500000-0x0000000000510000-memory.dmp
memory/2352-3-0x0000000000210000-0x0000000000216000-memory.dmp
memory/2352-2-0x00000000001D0000-0x00000000001D6000-memory.dmp
memory/2352-1-0x00000000001D0000-0x00000000001D6000-memory.dmp
\Users\Admin\AppData\Local\Temp\asih.exe
| MD5 | 8b0c030809584a2f47969ae5ae48234e |
| SHA1 | 76daa5b64d9fd1676e3deeb039918d362ef64fb6 |
| SHA256 | 4a91d814043e90b32fff0461e814b9395962e92dbdc144a7efb3aecbd08e181f |
| SHA512 | 8ef21c9a0591fc335aacd56e240d12f6f4921c4da79556733477ac96eb1301b6fd9471cb7eee6e74d10ca29ba895f07ee864ba10e48035f3ecd21553e8a44b1d |
memory/2352-16-0x0000000000500000-0x0000000000510000-memory.dmp
memory/1928-18-0x0000000000370000-0x0000000000376000-memory.dmp
memory/1928-25-0x00000000002B0000-0x00000000002B6000-memory.dmp
memory/1928-26-0x0000000000500000-0x0000000000510000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 18:43
Reported
2024-11-09 18:45
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2024-11-09_b7bae77af37da0ef7de4a892d1451aef_cryptolocker.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\asih.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-09_b7bae77af37da0ef7de4a892d1451aef_cryptolocker.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\asih.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2844 wrote to memory of 2776 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-09_b7bae77af37da0ef7de4a892d1451aef_cryptolocker.exe | C:\Users\Admin\AppData\Local\Temp\asih.exe |
| PID 2844 wrote to memory of 2776 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-09_b7bae77af37da0ef7de4a892d1451aef_cryptolocker.exe | C:\Users\Admin\AppData\Local\Temp\asih.exe |
| PID 2844 wrote to memory of 2776 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-09_b7bae77af37da0ef7de4a892d1451aef_cryptolocker.exe | C:\Users\Admin\AppData\Local\Temp\asih.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-11-09_b7bae77af37da0ef7de4a892d1451aef_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-09_b7bae77af37da0ef7de4a892d1451aef_cryptolocker.exe"
C:\Users\Admin\AppData\Local\Temp\asih.exe
"C:\Users\Admin\AppData\Local\Temp\asih.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | emrlogistics.com | udp |
| US | 3.130.253.23:443 | emrlogistics.com | tcp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 3.130.204.160:443 | emrlogistics.com | tcp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.209.201.84.in-addr.arpa | udp |
| US | 3.130.253.23:443 | emrlogistics.com | tcp |
| US | 3.130.204.160:443 | emrlogistics.com | tcp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 3.130.253.23:443 | emrlogistics.com | tcp |
| US | 3.130.204.160:443 | emrlogistics.com | tcp |
| US | 3.130.253.23:443 | emrlogistics.com | tcp |
| US | 3.130.204.160:443 | emrlogistics.com | tcp |
Files
memory/2844-0-0x0000000000500000-0x0000000000510000-memory.dmp
memory/2844-1-0x0000000000560000-0x0000000000566000-memory.dmp
memory/2844-2-0x0000000000560000-0x0000000000566000-memory.dmp
memory/2844-3-0x0000000002070000-0x0000000002076000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\asih.exe
| MD5 | 8b0c030809584a2f47969ae5ae48234e |
| SHA1 | 76daa5b64d9fd1676e3deeb039918d362ef64fb6 |
| SHA256 | 4a91d814043e90b32fff0461e814b9395962e92dbdc144a7efb3aecbd08e181f |
| SHA512 | 8ef21c9a0591fc335aacd56e240d12f6f4921c4da79556733477ac96eb1301b6fd9471cb7eee6e74d10ca29ba895f07ee864ba10e48035f3ecd21553e8a44b1d |
memory/2844-18-0x0000000000500000-0x0000000000510000-memory.dmp
memory/2776-20-0x00000000007F0000-0x00000000007F6000-memory.dmp
memory/2776-26-0x00000000006A0000-0x00000000006A6000-memory.dmp
memory/2776-27-0x0000000000500000-0x0000000000510000-memory.dmp