Overview

overview

10

Static

static

10

2024-02-01...er.exe

windows7-x64

9

2024-02-01...er.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    0s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/02/2024, 09:03 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-02-01_1090360d26072732ac893b6045f3a6e9_cryptolocker.exe

  • Size

    126KB

  • MD5

    1090360d26072732ac893b6045f3a6e9

  • SHA1

    464022f6d1bbac8637a97efe5e76f4da9177afd5

  • SHA256

    2a57393ee6c8be2e6f077f9fcadd9386024fa6371b42e715f459a76dbdc1f49d

  • SHA512

    ec5ec095473772f4bb5f013c94eb31777fd908a73c7683d91a769356287d9a9c37b9902e3745d17cfe701c027594153c86e7fa4067ccf1c66d796c5e15281a9d

  • SSDEEP

    1536:vj+jsMQMOtEvwDpj5HwYYTjipvF2hBfIuBKLUYOVbvh//K:vCjsIOtEvwDpj5H9YvQd2RQ

Score
9/10

Malware Config

Signatures

  • Detection of CryptoLocker Variants 3 IoCs
  • Detection of Cryptolocker Samples 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-02-01_1090360d26072732ac893b6045f3a6e9_cryptolocker.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-02-01_1090360d26072732ac893b6045f3a6e9_cryptolocker.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1340
    • C:\Users\Admin\AppData\Local\Temp\misid.exe
      "C:\Users\Admin\AppData\Local\Temp\misid.exe"
      2⤵
      • Executes dropped EXE
      PID:2020

Network

  • flag-us
    DNS
    228.249.119.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    228.249.119.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    bestccc.com
    Remote address:
    8.8.8.8:53
    Request
    bestccc.com
    IN A
    Response
    bestccc.com
    IN A
    103.14.121.240
  • flag-us
    DNS
    240.121.14.103.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    240.121.14.103.in-addr.arpa
    IN PTR
    Response
    240.121.14.103.in-addr.arpa
    IN PTR
    10314121240-static-reversegooddomainregistrycom
  • flag-us
    DNS
    202.178.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    202.178.17.96.in-addr.arpa
    IN PTR
    Response
    202.178.17.96.in-addr.arpa
    IN PTR
    a96-17-178-202deploystaticakamaitechnologiescom
  • flag-us
    DNS
    crl.comodoca.com
    Remote address:
    8.8.8.8:53
    Request
    crl.comodoca.com
    IN A
    Response
    crl.comodoca.com
    IN CNAME
    crl.comodoca.com.cdn.cloudflare.net
    crl.comodoca.com.cdn.cloudflare.net
    IN A
    104.18.38.233
    crl.comodoca.com.cdn.cloudflare.net
    IN A
    172.64.149.23
  • flag-us
    GET
    http://crl.comodoca.com/cPanelIncCertificationAuthority.crl
    Remote address:
    104.18.38.233:80
    Request
    GET /cPanelIncCertificationAuthority.crl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/10.0
    Host: crl.comodoca.com
    Response
    HTTP/1.1 200 OK
    Date: Thu, 01 Feb 2024 09:03:38 GMT
    Content-Type: application/pkix-crl
    Content-Length: 59932
    Connection: keep-alive
    Last-Modified: Wed, 31 Jan 2024 16:54:53 GMT
    ETag: "65ba7b5d-ea1c"
    X-CCACDN-Mirror-ID: mscrl2
    Cache-Control: max-age=14400, s-maxage=3600
    Expires: Wed, 07 Feb 2024 16:54:53 GMT
    X-CCACDN-Proxy-ID: mcdpinlb2
    X-Frame-Options: SAMEORIGIN
    CF-Cache-Status: HIT
    Age: 2491
    Accept-Ranges: bytes
    Server: cloudflare
    CF-RAY: 84e905baedcc23dc-LHR
  • flag-us
    DNS
    23.149.64.172.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    23.149.64.172.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    76.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    76.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    233.38.18.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    233.38.18.104.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    196.249.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    196.249.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    79.121.231.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    79.121.231.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    86.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    86.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    171.39.242.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    171.39.242.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    18.134.221.88.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    18.134.221.88.in-addr.arpa
    IN PTR
    Response
    18.134.221.88.in-addr.arpa
    IN PTR
    a88-221-134-18deploystaticakamaitechnologiescom
  • flag-us
    DNS
    173.178.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    173.178.17.96.in-addr.arpa
    IN PTR
    Response
    173.178.17.96.in-addr.arpa
    IN PTR
    a96-17-178-173deploystaticakamaitechnologiescom
  • flag-us
    DNS
    14.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    14.227.111.52.in-addr.arpa
    IN PTR
    Response
  • 103.14.121.240:443
    bestccc.com
    tls
    1.0kB
     4.1kB
     13
    9
  • 104.18.38.233:80
    http://crl.comodoca.com/cPanelIncCertificationAuthority.crl
    http
    1.4kB
     62.3kB
     27
    47

    HTTP Request

    GET http://crl.comodoca.com/cPanelIncCertificationAuthority.crl

    HTTP Response

    200
  • 8.8.8.8:53
    228.249.119.40.in-addr.arpa
    dns
    73 B
     159 B
     1
    1

    DNS Request

    228.249.119.40.in-addr.arpa

  • 8.8.8.8:53
    bestccc.com
    dns
    57 B
     73 B
     1
    1

    DNS Request

    bestccc.com

    DNS Response

    103.14.121.240

  • 8.8.8.8:53
    240.121.14.103.in-addr.arpa
    dns
    73 B
     139 B
     1
    1

    DNS Request

    240.121.14.103.in-addr.arpa

  • 8.8.8.8:53
    202.178.17.96.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    202.178.17.96.in-addr.arpa

  • 8.8.8.8:53
    crl.comodoca.com
    dns
    62 B
     143 B
     1
    1

    DNS Request

    crl.comodoca.com

    DNS Response

    104.18.38.233
    172.64.149.23

  • 8.8.8.8:53
    23.149.64.172.in-addr.arpa
    dns
    72 B
     134 B
     1
    1

    DNS Request

    23.149.64.172.in-addr.arpa

  • 8.8.8.8:53
    76.32.126.40.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    76.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    233.38.18.104.in-addr.arpa
    dns
    72 B
     134 B
     1
    1

    DNS Request

    233.38.18.104.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    196.249.167.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    196.249.167.52.in-addr.arpa

  • 8.8.8.8:53
    79.121.231.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    79.121.231.20.in-addr.arpa

  • 8.8.8.8:53
    86.23.85.13.in-addr.arpa
    dns
    70 B
     144 B
     1
    1

    DNS Request

    86.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    171.39.242.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    171.39.242.20.in-addr.arpa

  • 8.8.8.8:53
    18.134.221.88.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    18.134.221.88.in-addr.arpa

  • 8.8.8.8:53
    173.178.17.96.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    173.178.17.96.in-addr.arpa

  • 8.8.8.8:53
    14.227.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    14.227.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\misid.exe
    Filesize

    9KB

    MD5

    2f48a912ba52708d11062901eb4c69d0

    SHA1

    b76949fcd8e9ad26116ae6cef02bc6a0beb18917

    SHA256

    aa4a538298bdab3ae2786429cf8d0fdc462bc80a4fd1fc124faaa982c344b2e6

    SHA512

    c995f8d89c50275b12249762d7327f778aeeca7789a002902ed814973915a0200f4363b92ac184c0ee4f23df41792b0035b4425ce6bb759572e1d7c955bd4ebb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\misid.exe
    Filesize

    59KB

    MD5

    9cd964c28ff85e4a892cd7f05d20f981

    SHA1

    2afbc655be67ca97d8cd18b3b1f443d4d8b84124

    SHA256

    33efa8c814a94ef97322f6c49e75ba61c05f8458e6cef1f5af9834a0edf398b0

    SHA512

    62a2fdc59d9eb364597a7f044851362ef2785139578d6305a0866dba6310f208f28f01449870fb1285b0f9a9156d241519a0c891fbceaa9829f66d14e3b01c90

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\misid.exe
    Filesize

    57KB

    MD5

    adda64a6e60673a2d42acd2974669539

    SHA1

    9e612b39bec68e803fc520828b107ddf39060317

    SHA256

    3f5ee6383a6d5845776064e2b52f895af21c87e0cfbb3472012ca2abd41310b2

    SHA512

    2669a3f9c48e8c933bdb2ef3e31981f4cb56bdb18c1f3f89aad9e93f117c6d8c515020eb14cc9be8a2d82ef9f476667e25edad0edb6efcb63488407302f5bce2

    Download Submit

  • memory/1340-2-0x00000000021A0000-0x00000000021A6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1340-1-0x0000000002280000-0x0000000002286000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1340-0-0x0000000002280000-0x0000000002286000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2020-17-0x00000000020F0000-0x00000000020F6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2020-23-0x00000000020D0000-0x00000000020D6000-memory.dmp

    Filesize

    24KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.