Analysis

  • max time kernel
    143s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-08-2023 10:53

General

  • Target

    81e497db40f1153fbeabccc43c9a925c_cryptolocker_JC.exe

  • Size

    54KB

  • MD5

    81e497db40f1153fbeabccc43c9a925c

  • SHA1

    070641b8e948b3f6ca871ac92107cf7a81298d19

  • SHA256

    4124a9b23cbd457b2debe7a8e7e733b6c7ec39e8f67008c671c85fcc35d2d37a

  • SHA512

    cef43d9a8a984e41c2fc5f96dcf89de402b5a6491f096e2b8570ad25b9d3d7c913e1ed73cafeba1b86bdb6c31d542f4c9fbc796428c9793508a433a5cbff44d5

  • SSDEEP

    768:6Qz7yVEhs9+4OR7tOOtEvwDpjLHqPOYRmNxt5I52Wf:6j+1NMOtEvwDpjr8ox8U2

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies system certificate store 2 TTPs 5 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\81e497db40f1153fbeabccc43c9a925c_cryptolocker_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\81e497db40f1153fbeabccc43c9a925c_cryptolocker_JC.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4648
    • C:\Users\Admin\AppData\Local\Temp\misid.exe
      "C:\Users\Admin\AppData\Local\Temp\misid.exe"
      2⤵
      • Executes dropped EXE
      • Modifies system certificate store
      PID:2752

Network

  • flag-us
    DNS
    158.240.127.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    158.240.127.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    240.221.184.93.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    240.221.184.93.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    bestccc.com
    misid.exe
    Remote address:
    8.8.8.8:53
    Request
    bestccc.com
    IN A
    Response
    bestccc.com
    IN A
    103.14.121.240
  • flag-in
    GET
    https://bestccc.com/hr/ho2.exe
    misid.exe
    Remote address:
    103.14.121.240:443
    Request
    GET /hr/ho2.exe HTTP/1.1
    Accept: text/*, application/*
    User-Agent: Updates downloader
    Host: bestccc.com
    Cache-Control: no-cache
    Response
    HTTP/1.1 404 Not Found
    Date: Sun, 06 Aug 2023 10:51:58 GMT
    Server: Apache/2
    Content-Length: 315
    Content-Type: text/html; charset=iso-8859-1
  • flag-us
    DNS
    240.121.14.103.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    240.121.14.103.in-addr.arpa
    IN PTR
    Response
    240.121.14.103.in-addr.arpa
    IN PTR
    10314121240-static-reversegooddomainregistrycom
  • flag-us
    DNS
    73.31.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    73.31.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    101.15.18.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    101.15.18.104.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    59.128.231.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    59.128.231.4.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    crl.comodoca.com
    misid.exe
    Remote address:
    8.8.8.8:53
    Request
    crl.comodoca.com
    IN A
    Response
    crl.comodoca.com
    IN CNAME
    crl.comodoca.com.cdn.cloudflare.net
    crl.comodoca.com.cdn.cloudflare.net
    IN A
    104.18.14.101
    crl.comodoca.com.cdn.cloudflare.net
    IN A
    104.18.15.101
  • flag-us
    GET
    http://crl.comodoca.com/cPanelIncCertificationAuthority.crl
    misid.exe
    Remote address:
    104.18.14.101:80
    Request
    GET /cPanelIncCertificationAuthority.crl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/10.0
    Host: crl.comodoca.com
    Response
    HTTP/1.1 200 OK
    Date: Sun, 06 Aug 2023 10:53:12 GMT
    Content-Type: application/pkix-crl
    Content-Length: 59799
    Connection: keep-alive
    Last-Modified: Sat, 05 Aug 2023 19:40:00 GMT
    ETag: "64cea590-e997"
    X-CCACDN-Mirror-ID: sscrl2
    Cache-Control: max-age=14400, s-maxage=3600
    Expires: Sat, 12 Aug 2023 19:40:00 GMT
    X-CCACDN-Proxy-ID: mcdpinlb5
    X-Frame-Options: SAMEORIGIN
    CF-Cache-Status: HIT
    Age: 33
    Accept-Ranges: bytes
    Server: cloudflare
    CF-RAY: 7f26bc167cfa0a67-AMS
  • flag-us
    DNS
    101.14.18.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    101.14.18.104.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    2.136.104.51.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    2.136.104.51.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    86.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    86.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    171.39.242.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    171.39.242.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    126.49.247.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    126.49.247.8.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    126.23.238.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    126.23.238.8.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    210.143.182.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    210.143.182.52.in-addr.arpa
    IN PTR
    Response
  • 103.14.121.240:443
    https://bestccc.com/hr/ho2.exe
    tls, http
    misid.exe
    1.1kB
    5.8kB
    13
    9

    HTTP Request

    GET https://bestccc.com/hr/ho2.exe

    HTTP Response

    404
  • 104.18.14.101:80
    http://crl.comodoca.com/cPanelIncCertificationAuthority.crl
    http
    misid.exe
    1.4kB
    62.2kB
    27
    47

    HTTP Request

    GET http://crl.comodoca.com/cPanelIncCertificationAuthority.crl

    HTTP Response

    200
  • 8.8.8.8:53
    158.240.127.40.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    158.240.127.40.in-addr.arpa

  • 8.8.8.8:53
    240.221.184.93.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    240.221.184.93.in-addr.arpa

  • 8.8.8.8:53
    bestccc.com
    dns
    misid.exe
    57 B
    73 B
    1
    1

    DNS Request

    bestccc.com

    DNS Response

    103.14.121.240

  • 8.8.8.8:53
    240.121.14.103.in-addr.arpa
    dns
    73 B
    139 B
    1
    1

    DNS Request

    240.121.14.103.in-addr.arpa

  • 8.8.8.8:53
    73.31.126.40.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    73.31.126.40.in-addr.arpa

  • 8.8.8.8:53
    101.15.18.104.in-addr.arpa
    dns
    72 B
    134 B
    1
    1

    DNS Request

    101.15.18.104.in-addr.arpa

  • 8.8.8.8:53
    59.128.231.4.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    59.128.231.4.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    crl.comodoca.com
    dns
    misid.exe
    62 B
    143 B
    1
    1

    DNS Request

    crl.comodoca.com

    DNS Response

    104.18.14.101
    104.18.15.101

  • 8.8.8.8:53
    101.14.18.104.in-addr.arpa
    dns
    72 B
    134 B
    1
    1

    DNS Request

    101.14.18.104.in-addr.arpa

  • 8.8.8.8:53
    2.136.104.51.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    2.136.104.51.in-addr.arpa

  • 8.8.8.8:53
    86.23.85.13.in-addr.arpa
    dns
    70 B
    144 B
    1
    1

    DNS Request

    86.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    171.39.242.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    171.39.242.20.in-addr.arpa

  • 8.8.8.8:53
    126.49.247.8.in-addr.arpa
    dns
    71 B
    125 B
    1
    1

    DNS Request

    126.49.247.8.in-addr.arpa

  • 8.8.8.8:53
    126.23.238.8.in-addr.arpa
    dns
    71 B
    125 B
    1
    1

    DNS Request

    126.23.238.8.in-addr.arpa

  • 8.8.8.8:53
    210.143.182.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    210.143.182.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\misid.exe

    Filesize

    54KB

    MD5

    73f8981279b8bff8ba0d1ce32b01e78e

    SHA1

    a4648bb2a027f53004c3169aeb243bb26cb5ac10

    SHA256

    aa92ebe750fced2feed8ad2670ac104f74ffa29539a0e81748b4b17a2f4b54fa

    SHA512

    912af1b9cd9695fe92a92498af5d958639b1f8761f22a1acd89147552a0f31ab1cf7f81e069e138f3098c681a3336ae489d9005aa8ff2bf40a4cea03be7fa974

  • C:\Users\Admin\AppData\Local\Temp\misid.exe

    Filesize

    54KB

    MD5

    73f8981279b8bff8ba0d1ce32b01e78e

    SHA1

    a4648bb2a027f53004c3169aeb243bb26cb5ac10

    SHA256

    aa92ebe750fced2feed8ad2670ac104f74ffa29539a0e81748b4b17a2f4b54fa

    SHA512

    912af1b9cd9695fe92a92498af5d958639b1f8761f22a1acd89147552a0f31ab1cf7f81e069e138f3098c681a3336ae489d9005aa8ff2bf40a4cea03be7fa974

  • C:\Users\Admin\AppData\Local\Temp\misid.exe

    Filesize

    54KB

    MD5

    73f8981279b8bff8ba0d1ce32b01e78e

    SHA1

    a4648bb2a027f53004c3169aeb243bb26cb5ac10

    SHA256

    aa92ebe750fced2feed8ad2670ac104f74ffa29539a0e81748b4b17a2f4b54fa

    SHA512

    912af1b9cd9695fe92a92498af5d958639b1f8761f22a1acd89147552a0f31ab1cf7f81e069e138f3098c681a3336ae489d9005aa8ff2bf40a4cea03be7fa974

  • C:\Users\Admin\AppData\Local\Temp\misids.exe

    Filesize

    315B

    MD5

    a34ac19f4afae63adc5d2f7bc970c07f

    SHA1

    a82190fc530c265aa40a045c21770d967f4767b8

    SHA256

    d5a89e26beae0bc03ad18a0b0d1d3d75f87c32047879d25da11970cb5c4662a3

    SHA512

    42e53d96e5961e95b7a984d9c9778a1d3bd8ee0c87b8b3b515fa31f67c2d073c8565afc2f4b962c43668c4efa1e478da9bb0ecffa79479c7e880731bc4c55765

  • memory/2752-152-0x00000000006B0000-0x00000000006B6000-memory.dmp

    Filesize

    24KB

  • memory/2752-153-0x00000000006D0000-0x00000000006D6000-memory.dmp

    Filesize

    24KB

  • memory/2752-181-0x0000000000500000-0x000000000050F000-memory.dmp

    Filesize

    60KB

  • memory/4648-133-0x0000000000500000-0x000000000050F000-memory.dmp

    Filesize

    60KB

  • memory/4648-134-0x00000000021D0000-0x00000000021D6000-memory.dmp

    Filesize

    24KB

  • memory/4648-135-0x00000000021D0000-0x00000000021D6000-memory.dmp

    Filesize

    24KB

  • memory/4648-136-0x0000000002050000-0x0000000002056000-memory.dmp

    Filesize

    24KB

  • memory/4648-150-0x0000000000500000-0x000000000050F000-memory.dmp

    Filesize

    60KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.