Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

2024-02-04...er.exe

windows7-x64

9

2024-02-04...er.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    144s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/02/2024, 04:01 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-02-04_ea164475e17a39c62b940c2b6a92dede_cryptolocker.exe

  • Size

    119KB

  • MD5

    ea164475e17a39c62b940c2b6a92dede

  • SHA1

    22a425a51a7b0329546147f581094309b6673494

  • SHA256

    96b994a4a2e4d5fc8c9e7ae832d0e5eac4dd56a67f47246406dfbd4b0d4ecea4

  • SHA512

    602d7f2b425bdbd07f3b03c307822ae6d33022b3563481461f1adfd06660853c7d8c3a0ac960ba7527a6c6451431377bfae110cf6ba25b7d5ed1d115122f4ba9

  • SSDEEP

    768:gUQz7yVEhs9+4T/1bytOOtEvwDpjNbZ7uyA36S7MpxRIIXVe3mU9TYwlOBTq:gUj+AIMOtEvwDpjNbwQEIPlemUhYa

Score
9/10

Malware Config

Signatures

  • Detection of CryptoLocker Variants 1 IoCs
  • Detection of Cryptolocker Samples 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-02-04_ea164475e17a39c62b940c2b6a92dede_cryptolocker.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-02-04_ea164475e17a39c62b940c2b6a92dede_cryptolocker.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2376
    • C:\Users\Admin\AppData\Local\Temp\misid.exe
      "C:\Users\Admin\AppData\Local\Temp\misid.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      PID:3212

Network

  • flag-us
    DNS
    13.86.106.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.86.106.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    bestccc.com
    misid.exe
    Remote address:
    8.8.8.8:53
    Request
    bestccc.com
    IN A
    Response
    bestccc.com
    IN A
    103.14.121.240
  • flag-in
    GET
    https://bestccc.com/hr/ho2.exe
    misid.exe
    Remote address:
    103.14.121.240:443
    Request
    GET /hr/ho2.exe HTTP/1.1
    Accept: text/*, application/*
    User-Agent: Updates downloader
    Host: bestccc.com
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Date: Sun, 04 Feb 2024 04:01:33 GMT
    Content-Type: application/octet-stream
    Transfer-Encoding: chunked
    Connection: close
    Server: imunify360-webshield/1.21
    Last-Modified: Sunday, 04-Feb-2024 04:01:33 GMT
    Cache-Control: private, no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0, s-maxage=0
    cf-edge-cache: no-cache
  • flag-us
    DNS
    0.205.248.87.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    0.205.248.87.in-addr.arpa
    IN PTR
    Response
    0.205.248.87.in-addr.arpa
    IN PTR
    https-87-248-205-0lgwllnwnet
  • flag-us
    DNS
    74.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    74.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    crl.comodoca.com
    misid.exe
    Remote address:
    8.8.8.8:53
    Request
    crl.comodoca.com
    IN A
    Response
    crl.comodoca.com
    IN CNAME
    crl.comodoca.com.cdn.cloudflare.net
    crl.comodoca.com.cdn.cloudflare.net
    IN A
    104.18.38.233
    crl.comodoca.com.cdn.cloudflare.net
    IN A
    172.64.149.23
  • flag-us
    GET
    http://crl.comodoca.com/cPanelIncCertificationAuthority.crl
    misid.exe
    Remote address:
    104.18.38.233:80
    Request
    GET /cPanelIncCertificationAuthority.crl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/10.0
    Host: crl.comodoca.com
    Response
    HTTP/1.1 200 OK
    Date: Sun, 04 Feb 2024 04:02:02 GMT
    Content-Type: application/pkix-crl
    Content-Length: 60142
    Connection: keep-alive
    Last-Modified: Sat, 03 Feb 2024 13:56:59 GMT
    ETag: "65be462b-eaee"
    X-CCACDN-Mirror-ID: sscrl1
    Cache-Control: max-age=14400, s-maxage=3600
    Expires: Sat, 10 Feb 2024 13:56:59 GMT
    X-CCACDN-Proxy-ID: mcdpinlb1
    X-Frame-Options: SAMEORIGIN
    CF-Cache-Status: HIT
    Age: 383
    Accept-Ranges: bytes
    Server: cloudflare
    CF-RAY: 8500040bc91148c1-LHR
  • flag-us
    DNS
    240.121.14.103.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    240.121.14.103.in-addr.arpa
    IN PTR
    Response
    240.121.14.103.in-addr.arpa
    IN PTR
    10314121240-static-reversegooddomainregistrycom
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    23.149.64.172.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    23.149.64.172.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    149.220.183.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    149.220.183.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    233.38.18.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    233.38.18.104.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    196.249.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    196.249.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    157.123.68.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    157.123.68.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    15.164.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    15.164.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    18.134.221.88.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    18.134.221.88.in-addr.arpa
    IN PTR
    Response
    18.134.221.88.in-addr.arpa
    IN PTR
    a88-221-134-18deploystaticakamaitechnologiescom
  • flag-us
    DNS
    173.178.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    173.178.17.96.in-addr.arpa
    IN PTR
    Response
    173.178.17.96.in-addr.arpa
    IN PTR
    a96-17-178-173deploystaticakamaitechnologiescom
  • flag-us
    DNS
    29.243.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    29.243.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    211.143.182.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    211.143.182.52.in-addr.arpa
    IN PTR
    Response
  • 103.14.121.240:443
    https://bestccc.com/hr/ho2.exe
    tls, http
    misid.exe
    1.0kB
     4.1kB
     13
    9

    HTTP Request

    GET https://bestccc.com/hr/ho2.exe

    HTTP Response

    200
  • 104.18.38.233:80
    http://crl.comodoca.com/cPanelIncCertificationAuthority.crl
    http
    misid.exe
    1.4kB
     62.5kB
     27
    47

    HTTP Request

    GET http://crl.comodoca.com/cPanelIncCertificationAuthority.crl

    HTTP Response

    200
  • 8.8.8.8:53
    13.86.106.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    13.86.106.20.in-addr.arpa

  • 8.8.8.8:53
    bestccc.com
    dns
    misid.exe
    57 B
     73 B
     1
    1

    DNS Request

    bestccc.com

    DNS Response

    103.14.121.240

  • 8.8.8.8:53
    0.205.248.87.in-addr.arpa
    dns
    71 B
     116 B
     1
    1

    DNS Request

    0.205.248.87.in-addr.arpa

  • 8.8.8.8:53
    74.32.126.40.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    74.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    crl.comodoca.com
    dns
    misid.exe
    62 B
     143 B
     1
    1

    DNS Request

    crl.comodoca.com

    DNS Response

    104.18.38.233
    172.64.149.23

  • 8.8.8.8:53
    240.121.14.103.in-addr.arpa
    dns
    73 B
     139 B
     1
    1

    DNS Request

    240.121.14.103.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    23.149.64.172.in-addr.arpa
    dns
    72 B
     134 B
     1
    1

    DNS Request

    23.149.64.172.in-addr.arpa

  • 8.8.8.8:53
    149.220.183.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    149.220.183.52.in-addr.arpa

  • 8.8.8.8:53
    233.38.18.104.in-addr.arpa
    dns
    72 B
     134 B
     1
    1

    DNS Request

    233.38.18.104.in-addr.arpa

  • 8.8.8.8:53
    196.249.167.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    196.249.167.52.in-addr.arpa

  • 8.8.8.8:53
    157.123.68.40.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    157.123.68.40.in-addr.arpa

  • 8.8.8.8:53
    15.164.165.52.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    15.164.165.52.in-addr.arpa

  • 8.8.8.8:53
    18.134.221.88.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    18.134.221.88.in-addr.arpa

  • 8.8.8.8:53
    173.178.17.96.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    173.178.17.96.in-addr.arpa

  • 8.8.8.8:53
    29.243.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    29.243.111.52.in-addr.arpa

  • 8.8.8.8:53
    211.143.182.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    211.143.182.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\misid.exe
    Filesize

    119KB

    MD5

    d99b27b0d313f75083c0909769efd3e7

    SHA1

    150eaf81dbd833214e7bee87ede2e2e8cef83b23

    SHA256

    93b453dda6b8ddf00d644f00ede8a9821ceff9ecff1e450b15bf9f3791198e77

    SHA512

    9ce8215fa2bca5bd3bc389ba98687cca5216aac072f5cdef795e509db959562960d4ddd26bbbae25e0ae8605a4de11d1e379ae7200295ebbbf7ec89220559d09

    Download Submit

  • memory/2376-2-0x00000000007D0000-0x00000000007D6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2376-1-0x00000000007B0000-0x00000000007B6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2376-0-0x00000000007B0000-0x00000000007B6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/3212-17-0x0000000000760000-0x0000000000766000-memory.dmp

    Filesize

    24KB

    Download

  • memory/3212-19-0x0000000000630000-0x0000000000636000-memory.dmp

    Filesize

    24KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.