Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

2024-02-03...er.exe

windows7-x64

9

2024-02-03...er.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    88s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/02/2024, 03:31 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-02-03_4216b81713711e9d5cf9f1d0446e4054_cryptolocker.exe

  • Size

    79KB

  • MD5

    4216b81713711e9d5cf9f1d0446e4054

  • SHA1

    3ad3a2040bad4f2b89ba85b78353c97d4a6fd4a3

  • SHA256

    648aec592d1e26ca344ea1f2ea2f7f97f9a2e820d7040124580b2ff78c2b14f8

  • SHA512

    3939bb2b04749407cbff9cfa82b7ffc57e84bfc9cf34deb0b5e79478b51b0aec0fd7ee37e01a35557bdbc3f9830b1d3cf4045a6df45db66960be7952ea52d829

  • SSDEEP

    1536:Tj+jsMQMOtEvwDpj5HmpJpOUHECgNMo0vp2EMMe:TCjsIOtEvwDpj5HE/OUHnSMs

Score
9/10

Malware Config

Signatures

  • Detection of CryptoLocker Variants 5 IoCs
  • Detection of Cryptolocker Samples 5 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies system certificate store 2 TTPs 8 IoCs
    evasionspywaretrojan
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-02-03_4216b81713711e9d5cf9f1d0446e4054_cryptolocker.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-02-03_4216b81713711e9d5cf9f1d0446e4054_cryptolocker.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4236
    • C:\Users\Admin\AppData\Local\Temp\misid.exe
      "C:\Users\Admin\AppData\Local\Temp\misid.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Modifies system certificate store
      PID:4844

Network

  • flag-us
    DNS
    241.150.49.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.150.49.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    194.178.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    194.178.17.96.in-addr.arpa
    IN PTR
    Response
    194.178.17.96.in-addr.arpa
    IN PTR
    a96-17-178-194deploystaticakamaitechnologiescom
  • flag-us
    DNS
    bestccc.com
    misid.exe
    Remote address:
    8.8.8.8:53
    Request
    bestccc.com
    IN A
    Response
    bestccc.com
    IN A
    103.14.121.240
  • flag-in
    GET
    https://bestccc.com/hr/ho2.exe
    misid.exe
    Remote address:
    103.14.121.240:443
    Request
    GET /hr/ho2.exe HTTP/1.1
    Accept: text/*, application/*
    User-Agent: Updates downloader
    Host: bestccc.com
    Cache-Control: no-cache
    Response
    HTTP/1.1 404 Not Found
    Date: Sat, 03 Feb 2024 03:31:35 GMT
    Server: Apache/2
    Content-Length: 315
    Content-Type: text/html; charset=iso-8859-1
  • flag-us
    DNS
    17.160.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    17.160.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    crl.comodoca.com
    misid.exe
    Remote address:
    8.8.8.8:53
    Request
    crl.comodoca.com
    IN A
    Response
    crl.comodoca.com
    IN CNAME
    crl.comodoca.com.cdn.cloudflare.net
    crl.comodoca.com.cdn.cloudflare.net
    IN A
    104.18.38.233
    crl.comodoca.com.cdn.cloudflare.net
    IN A
    172.64.149.23
  • flag-us
    GET
    http://crl.comodoca.com/cPanelIncCertificationAuthority.crl
    misid.exe
    Remote address:
    104.18.38.233:80
    Request
    GET /cPanelIncCertificationAuthority.crl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/10.0
    Host: crl.comodoca.com
    Response
    HTTP/1.1 200 OK
    Date: Sat, 03 Feb 2024 03:32:01 GMT
    Content-Type: application/pkix-crl
    Content-Length: 60037
    Connection: keep-alive
    Last-Modified: Fri, 02 Feb 2024 14:55:58 GMT
    ETag: "65bd027e-ea85"
    X-CCACDN-Mirror-ID: mscrl2
    Cache-Control: max-age=14400, s-maxage=3600
    Expires: Fri, 09 Feb 2024 14:55:58 GMT
    X-CCACDN-Proxy-ID: mcdpinlb3
    X-Frame-Options: SAMEORIGIN
    CF-Cache-Status: HIT
    Age: 1218
    Accept-Ranges: bytes
    Server: cloudflare
    CF-RAY: 84f79ab7dd35dd7f-LHR
  • flag-us
    DNS
    240.121.14.103.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    240.121.14.103.in-addr.arpa
    IN PTR
    Response
    240.121.14.103.in-addr.arpa
    IN PTR
    10314121240-static-reversegooddomainregistrycom
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    173.178.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    173.178.17.96.in-addr.arpa
    IN PTR
    Response
    173.178.17.96.in-addr.arpa
    IN PTR
    a96-17-178-173deploystaticakamaitechnologiescom
  • flag-us
    DNS
    23.149.64.172.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    23.149.64.172.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    233.38.18.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    233.38.18.104.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    157.123.68.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    157.123.68.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    15.164.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    15.164.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    18.134.221.88.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    18.134.221.88.in-addr.arpa
    IN PTR
    Response
    18.134.221.88.in-addr.arpa
    IN PTR
    a88-221-134-18deploystaticakamaitechnologiescom
  • flag-us
    DNS
    180.178.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    180.178.17.96.in-addr.arpa
    IN PTR
    Response
    180.178.17.96.in-addr.arpa
    IN PTR
    a96-17-178-180deploystaticakamaitechnologiescom
  • 103.14.121.240:443
    https://bestccc.com/hr/ho2.exe
    tls, http
    misid.exe
    1.1kB
     5.8kB
     13
    9

    HTTP Request

    GET https://bestccc.com/hr/ho2.exe

    HTTP Response

    404
  • 104.18.38.233:80
    http://crl.comodoca.com/cPanelIncCertificationAuthority.crl
    http
    misid.exe
    1.4kB
     62.4kB
     27
    47

    HTTP Request

    GET http://crl.comodoca.com/cPanelIncCertificationAuthority.crl

    HTTP Response

    200
  • 52.142.223.178:80
    46 B
     1
  • 8.8.8.8:53
    241.150.49.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    241.150.49.20.in-addr.arpa

  • 8.8.8.8:53
    194.178.17.96.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    194.178.17.96.in-addr.arpa

  • 8.8.8.8:53
    bestccc.com
    dns
    misid.exe
    57 B
     73 B
     1
    1

    DNS Request

    bestccc.com

    DNS Response

    103.14.121.240

  • 8.8.8.8:53
    17.160.190.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    17.160.190.20.in-addr.arpa

  • 8.8.8.8:53
    crl.comodoca.com
    dns
    misid.exe
    62 B
     143 B
     1
    1

    DNS Request

    crl.comodoca.com

    DNS Response

    104.18.38.233
    172.64.149.23

  • 8.8.8.8:53
    240.121.14.103.in-addr.arpa
    dns
    73 B
     139 B
     1
    1

    DNS Request

    240.121.14.103.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    173.178.17.96.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    173.178.17.96.in-addr.arpa

  • 8.8.8.8:53
    23.149.64.172.in-addr.arpa
    dns
    72 B
     134 B
     1
    1

    DNS Request

    23.149.64.172.in-addr.arpa

  • 8.8.8.8:53
    233.38.18.104.in-addr.arpa
    dns
    72 B
     134 B
     1
    1

    DNS Request

    233.38.18.104.in-addr.arpa

  • 8.8.8.8:53
    157.123.68.40.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    157.123.68.40.in-addr.arpa

  • 8.8.8.8:53
    15.164.165.52.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    15.164.165.52.in-addr.arpa

  • 8.8.8.8:53
    18.134.221.88.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    18.134.221.88.in-addr.arpa

  • 8.8.8.8:53
    180.178.17.96.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    180.178.17.96.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\misid.exe
    Filesize

    79KB

    MD5

    d8bd3a05ed8c73b7e61fe5ceeead4d62

    SHA1

    32ff866d37453ea8c67ed396e4dbf4617ad26a2a

    SHA256

    4e10e96a9db0d4f9a488056b6570fc308667b35eaa6953d1c96bf9a452e5793d

    SHA512

    acd37f7e78a64c0cac30dd0418d16469ee89fba78750815c6d81907cfe96cb661af6c559bb05b71cc424bb137c24613df2438e438b4d73d2a60bc159eeb5298d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\misids.exe
    Filesize

    315B

    MD5

    a34ac19f4afae63adc5d2f7bc970c07f

    SHA1

    a82190fc530c265aa40a045c21770d967f4767b8

    SHA256

    d5a89e26beae0bc03ad18a0b0d1d3d75f87c32047879d25da11970cb5c4662a3

    SHA512

    42e53d96e5961e95b7a984d9c9778a1d3bd8ee0c87b8b3b515fa31f67c2d073c8565afc2f4b962c43668c4efa1e478da9bb0ecffa79479c7e880731bc4c55765

    Download Submit

  • memory/4236-0-0x0000000000500000-0x000000000050E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/4236-1-0x0000000000520000-0x0000000000526000-memory.dmp

    Filesize

    24KB

    Download

  • memory/4236-2-0x0000000000520000-0x0000000000526000-memory.dmp

    Filesize

    24KB

    Download

  • memory/4236-3-0x0000000000540000-0x0000000000546000-memory.dmp

    Filesize

    24KB

    Download

  • memory/4236-17-0x0000000000500000-0x000000000050E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/4844-18-0x0000000000500000-0x000000000050E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/4844-20-0x00000000004C0000-0x00000000004C6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/4844-26-0x00000000004A0000-0x00000000004A6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/4844-49-0x0000000000500000-0x000000000050E000-memory.dmp

    Filesize

    56KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.