Malware Analysis Report

2025-04-03 19:51

Sample ID 241109-xc32pssngl
Target 2024-11-09_b7bae77af37da0ef7de4a892d1451aef_cryptolocker
SHA256 17239b2bab05a6a102de10d5b4679ddd22ea848cbb1aca16f30e09348fcb7aaa
Tags
upx discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

17239b2bab05a6a102de10d5b4679ddd22ea848cbb1aca16f30e09348fcb7aaa

Threat Level: Shows suspicious behavior

The file 2024-11-09_b7bae77af37da0ef7de4a892d1451aef_cryptolocker was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx discovery

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

UPX packed file

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 18:43

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 18:43

Reported

2024-11-09 18:45

Platform

win7-20240903-en

Max time kernel

140s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-09_b7bae77af37da0ef7de4a892d1451aef_cryptolocker.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\asih.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b7bae77af37da0ef7de4a892d1451aef_cryptolocker.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-09_b7bae77af37da0ef7de4a892d1451aef_cryptolocker.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\asih.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-09_b7bae77af37da0ef7de4a892d1451aef_cryptolocker.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-09_b7bae77af37da0ef7de4a892d1451aef_cryptolocker.exe"

C:\Users\Admin\AppData\Local\Temp\asih.exe

"C:\Users\Admin\AppData\Local\Temp\asih.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 emrlogistics.com udp
US 3.140.13.188:443 emrlogistics.com tcp
US 18.119.154.66:443 emrlogistics.com tcp
US 3.140.13.188:443 emrlogistics.com tcp
US 18.119.154.66:443 emrlogistics.com tcp
US 3.140.13.188:443 emrlogistics.com tcp
US 18.119.154.66:443 emrlogistics.com tcp
US 3.140.13.188:443 emrlogistics.com tcp

Files

memory/2352-0-0x0000000000500000-0x0000000000510000-memory.dmp

memory/2352-3-0x0000000000210000-0x0000000000216000-memory.dmp

memory/2352-2-0x00000000001D0000-0x00000000001D6000-memory.dmp

memory/2352-1-0x00000000001D0000-0x00000000001D6000-memory.dmp

\Users\Admin\AppData\Local\Temp\asih.exe

MD5 8b0c030809584a2f47969ae5ae48234e
SHA1 76daa5b64d9fd1676e3deeb039918d362ef64fb6
SHA256 4a91d814043e90b32fff0461e814b9395962e92dbdc144a7efb3aecbd08e181f
SHA512 8ef21c9a0591fc335aacd56e240d12f6f4921c4da79556733477ac96eb1301b6fd9471cb7eee6e74d10ca29ba895f07ee864ba10e48035f3ecd21553e8a44b1d

memory/2352-16-0x0000000000500000-0x0000000000510000-memory.dmp

memory/1928-18-0x0000000000370000-0x0000000000376000-memory.dmp

memory/1928-25-0x00000000002B0000-0x00000000002B6000-memory.dmp

memory/1928-26-0x0000000000500000-0x0000000000510000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 18:43

Reported

2024-11-09 18:45

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-09_b7bae77af37da0ef7de4a892d1451aef_cryptolocker.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2024-11-09_b7bae77af37da0ef7de4a892d1451aef_cryptolocker.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\asih.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-09_b7bae77af37da0ef7de4a892d1451aef_cryptolocker.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\asih.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-09_b7bae77af37da0ef7de4a892d1451aef_cryptolocker.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-09_b7bae77af37da0ef7de4a892d1451aef_cryptolocker.exe"

C:\Users\Admin\AppData\Local\Temp\asih.exe

"C:\Users\Admin\AppData\Local\Temp\asih.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 emrlogistics.com udp
US 3.130.253.23:443 emrlogistics.com tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 3.130.204.160:443 emrlogistics.com tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 103.209.201.84.in-addr.arpa udp
US 3.130.253.23:443 emrlogistics.com tcp
US 3.130.204.160:443 emrlogistics.com tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 3.130.253.23:443 emrlogistics.com tcp
US 3.130.204.160:443 emrlogistics.com tcp
US 3.130.253.23:443 emrlogistics.com tcp
US 3.130.204.160:443 emrlogistics.com tcp

Files

memory/2844-0-0x0000000000500000-0x0000000000510000-memory.dmp

memory/2844-1-0x0000000000560000-0x0000000000566000-memory.dmp

memory/2844-2-0x0000000000560000-0x0000000000566000-memory.dmp

memory/2844-3-0x0000000002070000-0x0000000002076000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\asih.exe

MD5 8b0c030809584a2f47969ae5ae48234e
SHA1 76daa5b64d9fd1676e3deeb039918d362ef64fb6
SHA256 4a91d814043e90b32fff0461e814b9395962e92dbdc144a7efb3aecbd08e181f
SHA512 8ef21c9a0591fc335aacd56e240d12f6f4921c4da79556733477ac96eb1301b6fd9471cb7eee6e74d10ca29ba895f07ee864ba10e48035f3ecd21553e8a44b1d

memory/2844-18-0x0000000000500000-0x0000000000510000-memory.dmp

memory/2776-20-0x00000000007F0000-0x00000000007F6000-memory.dmp

memory/2776-26-0x00000000006A0000-0x00000000006A6000-memory.dmp

memory/2776-27-0x0000000000500000-0x0000000000510000-memory.dmp