Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
08/03/2024, 15:27 UTC
Static task
static1
Behavioral task
behavioral1
Sample
2024-03-08_13eaf2f3080d0b45d0e204dac6866f79_cryptolocker.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-03-08_13eaf2f3080d0b45d0e204dac6866f79_cryptolocker.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-03-08_13eaf2f3080d0b45d0e204dac6866f79_cryptolocker.exe
-
Size
45KB
-
MD5
13eaf2f3080d0b45d0e204dac6866f79
-
SHA1
30d93273e8554782d243655eb396ec5ae248bc04
-
SHA256
00f35eb22416ab9f126697c7227c857155c4645e474f00584f5b2abd2a97a3e5
-
SHA512
986146905c3f79de2622aba6b38ab8e4b376429da974f78f606b6560c7a023315b5d0f39668af7d2488628db7f096c6659bf4c6901fdb1983039732cc5217f1b
-
SSDEEP
768:UEEmoQDj/xnMp+yptndwe/PWQtOOtEvwDpjIm8z2iaSIO/WZrEu/d+qmsUHQ1wsk:ZzFbxmLPWQMOtEvwDpj386Sj/WprqQ12
Malware Config
Signatures
-
Detection of CryptoLocker Variants 1 IoCs
resource yara_rule behavioral2/files/0x0008000000023206-13.dat CryptoLocker_rule2 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation 2024-03-08_13eaf2f3080d0b45d0e204dac6866f79_cryptolocker.exe -
Executes dropped EXE 1 IoCs
pid Process 4132 misid.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4756 wrote to memory of 4132 4756 2024-03-08_13eaf2f3080d0b45d0e204dac6866f79_cryptolocker.exe 89 PID 4756 wrote to memory of 4132 4756 2024-03-08_13eaf2f3080d0b45d0e204dac6866f79_cryptolocker.exe 89 PID 4756 wrote to memory of 4132 4756 2024-03-08_13eaf2f3080d0b45d0e204dac6866f79_cryptolocker.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-03-08_13eaf2f3080d0b45d0e204dac6866f79_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-08_13eaf2f3080d0b45d0e204dac6866f79_cryptolocker.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4756 -
C:\Users\Admin\AppData\Local\Temp\misid.exe"C:\Users\Admin\AppData\Local\Temp\misid.exe"2⤵
- Executes dropped EXE
PID:4132
-
Network
-
Remote address:8.8.8.8:53Requestbestccc.comIN AResponsebestccc.comIN A103.14.121.240
-
Remote address:8.8.8.8:53Requestbestccc.comIN A
-
Remote address:8.8.8.8:53Request149.177.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request186.178.17.96.in-addr.arpaIN PTRResponse186.178.17.96.in-addr.arpaIN PTRa96-17-178-186deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request13.86.106.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestg.bing.comIN AResponseg.bing.comIN CNAMEg-bing-com.a-0001.a-msedge.netg-bing-com.a-0001.a-msedge.netIN CNAMEdual-a-0001.a-msedge.netdual-a-0001.a-msedge.netIN A204.79.197.200dual-a-0001.a-msedge.netIN A13.107.21.200
-
GEThttps://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=684ce62eb7f746d1ab63e13bbc2b4cb6&localId=w:B4A3D36C-D183-1852-EB44-E34BD7DE44E3&deviceId=6755461009612214&anid=Remote address:204.79.197.200:443RequestGET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=684ce62eb7f746d1ab63e13bbc2b4cb6&localId=w:B4A3D36C-D183-1852-EB44-E34BD7DE44E3&deviceId=6755461009612214&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=0896FD7D78CE63451D2DE941797562A6; domain=.bing.com; expires=Wed, 02-Apr-2025 15:27:32 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: E467A3CC5F73461DBDD8EB956C548820 Ref B: LON04EDGE0821 Ref C: 2024-03-08T15:27:32Z
date: Fri, 08 Mar 2024 15:27:32 GMT
-
GEThttps://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=684ce62eb7f746d1ab63e13bbc2b4cb6&localId=w:B4A3D36C-D183-1852-EB44-E34BD7DE44E3&deviceId=6755461009612214&anid=Remote address:204.79.197.200:443RequestGET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=684ce62eb7f746d1ab63e13bbc2b4cb6&localId=w:B4A3D36C-D183-1852-EB44-E34BD7DE44E3&deviceId=6755461009612214&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=0896FD7D78CE63451D2DE941797562A6
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=u9CyJXNtf8kPYPDOCJZ7UBp8cyBKzZrLKcq_hP3vjkM; domain=.bing.com; expires=Wed, 02-Apr-2025 15:27:32 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 520851B511EA4A008760C01FB7507108 Ref B: LON04EDGE0821 Ref C: 2024-03-08T15:27:32Z
date: Fri, 08 Mar 2024 15:27:32 GMT
-
GEThttps://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=684ce62eb7f746d1ab63e13bbc2b4cb6&localId=w:B4A3D36C-D183-1852-EB44-E34BD7DE44E3&deviceId=6755461009612214&anid=Remote address:204.79.197.200:443RequestGET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=684ce62eb7f746d1ab63e13bbc2b4cb6&localId=w:B4A3D36C-D183-1852-EB44-E34BD7DE44E3&deviceId=6755461009612214&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=0896FD7D78CE63451D2DE941797562A6; MSPTC=u9CyJXNtf8kPYPDOCJZ7UBp8cyBKzZrLKcq_hP3vjkM
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: A11A52221B274B1E8AC78BDA506C3C3C Ref B: LON04EDGE0821 Ref C: 2024-03-08T15:27:32Z
date: Fri, 08 Mar 2024 15:27:32 GMT
-
Remote address:8.8.8.8:53Request241.154.82.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request200.197.79.204.in-addr.arpaIN PTRResponse200.197.79.204.in-addr.arpaIN PTRa-0001a-msedgenet
-
Remote address:8.8.8.8:53Request41.110.16.96.in-addr.arpaIN PTRResponse41.110.16.96.in-addr.arpaIN PTRa96-16-110-41deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request241.150.49.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request86.23.85.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request171.39.242.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestnexusrules.officeapps.live.comIN AResponsenexusrules.officeapps.live.comIN CNAMEprod.nexusrules.live.com.akadns.netprod.nexusrules.live.com.akadns.netIN A52.111.236.21
-
Remote address:8.8.8.8:53Requestnexusrules.officeapps.live.comIN A
-
Remote address:8.8.8.8:53Request134.71.91.104.in-addr.arpaIN PTRResponse134.71.91.104.in-addr.arpaIN PTRa104-91-71-134deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request209.178.17.96.in-addr.arpaIN PTRResponse209.178.17.96.in-addr.arpaIN PTRa96-17-178-209deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request26.35.223.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requesttse1.mm.bing.netIN AResponsetse1.mm.bing.netIN CNAMEmm-mm.bing.net.trafficmanager.netmm-mm.bing.net.trafficmanager.netIN CNAMEdual-a-0001.a-msedge.netdual-a-0001.a-msedge.netIN A204.79.197.200dual-a-0001.a-msedge.netIN A13.107.21.200
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239317301187_1ZYFA7XNBG4NK6SSZ&pid=21.2&w=1920&h=1080&c=4Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239317301187_1ZYFA7XNBG4NK6SSZ&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 212146
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 41735C4F3A50485EA92835034410863F Ref B: LON04EDGE0709 Ref C: 2024-03-08T15:29:09Z
date: Fri, 08 Mar 2024 15:29:08 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239340418570_1AILBHE008ZL9RHPC&pid=21.2&w=1080&h=1920&c=4Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239340418570_1AILBHE008ZL9RHPC&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 246785
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: DC4034C9D988424E939CF57A8BA1CC6A Ref B: LON04EDGE0709 Ref C: 2024-03-08T15:29:09Z
date: Fri, 08 Mar 2024 15:29:09 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239317301596_1DG6BQP8IZK93D1X4&pid=21.2&w=1080&h=1920&c=4Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239317301596_1DG6BQP8IZK93D1X4&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 457945
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: BEA87CFC34734CBF877133EA81CDCDED Ref B: LON04EDGE0709 Ref C: 2024-03-08T15:29:09Z
date: Fri, 08 Mar 2024 15:29:09 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239340418569_13408TD3CSPQQLS8W&pid=21.2&w=1920&h=1080&c=4Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239340418569_13408TD3CSPQQLS8W&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 519937
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 46FE0663F19E4994A5BECC282FA0C13D Ref B: LON04EDGE0709 Ref C: 2024-03-08T15:29:10Z
date: Fri, 08 Mar 2024 15:29:09 GMT
-
Remote address:8.8.8.8:53Request43.58.199.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request21.236.111.52.in-addr.arpaIN PTRResponse
-
204.79.197.200:443https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=684ce62eb7f746d1ab63e13bbc2b4cb6&localId=w:B4A3D36C-D183-1852-EB44-E34BD7DE44E3&deviceId=6755461009612214&anid=tls, http22.0kB 9.2kB 21 19
HTTP Request
GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=684ce62eb7f746d1ab63e13bbc2b4cb6&localId=w:B4A3D36C-D183-1852-EB44-E34BD7DE44E3&deviceId=6755461009612214&anid=HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=684ce62eb7f746d1ab63e13bbc2b4cb6&localId=w:B4A3D36C-D183-1852-EB44-E34BD7DE44E3&deviceId=6755461009612214&anid=HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=684ce62eb7f746d1ab63e13bbc2b4cb6&localId=w:B4A3D36C-D183-1852-EB44-E34BD7DE44E3&deviceId=6755461009612214&anid=HTTP Response
204 -
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
322 B 7
-
260 B 5
-
204.79.197.200:443https://tse1.mm.bing.net/th?id=OADD2.10239340418569_13408TD3CSPQQLS8W&pid=21.2&w=1920&h=1080&c=4tls, http255.6kB 1.5MB 1096 1088
HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239317301187_1ZYFA7XNBG4NK6SSZ&pid=21.2&w=1920&h=1080&c=4HTTP Response
200HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239340418570_1AILBHE008ZL9RHPC&pid=21.2&w=1080&h=1920&c=4HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239317301596_1DG6BQP8IZK93D1X4&pid=21.2&w=1080&h=1920&c=4HTTP Response
200HTTP Response
200HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239340418569_13408TD3CSPQQLS8W&pid=21.2&w=1920&h=1080&c=4HTTP Response
200 -
1.5kB 8.4kB 18 13
-
1.6kB 8.1kB 18 13
-
1.4kB 9.9kB 14 9
-
260 B 5
-
260 B 5
-
52 B 1
-
114 B 73 B 2 1
DNS Request
bestccc.com
DNS Request
bestccc.com
DNS Response
103.14.121.240
-
73 B 159 B 1 1
DNS Request
149.177.190.20.in-addr.arpa
-
72 B 137 B 1 1
DNS Request
186.178.17.96.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
13.86.106.20.in-addr.arpa
-
56 B 158 B 1 1
DNS Request
g.bing.com
DNS Response
204.79.197.20013.107.21.200
-
72 B 158 B 1 1
DNS Request
241.154.82.20.in-addr.arpa
-
73 B 106 B 1 1
DNS Request
200.197.79.204.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
41.110.16.96.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
241.150.49.20.in-addr.arpa
-
70 B 144 B 1 1
DNS Request
86.23.85.13.in-addr.arpa
-
224 B 299 B 3 2
DNS Request
171.39.242.20.in-addr.arpa
DNS Request
nexusrules.officeapps.live.com
DNS Request
nexusrules.officeapps.live.com
DNS Response
52.111.236.21
-
72 B 137 B 1 1
DNS Request
134.71.91.104.in-addr.arpa
-
72 B 137 B 1 1
DNS Request
209.178.17.96.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
26.35.223.20.in-addr.arpa
-
62 B 173 B 1 1
DNS Request
tse1.mm.bing.net
DNS Response
204.79.197.20013.107.21.200
-
72 B 158 B 1 1
DNS Request
21.236.111.52.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
43.58.199.20.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
45KB
MD5396c3dfcf7d13988bea46e7c0bf0b9ff
SHA100aad7fc3d2e094b50ab135bad221b9f6ff70b2a
SHA256552c57f0f8fa7fb90cfdfd1095cd3e9cf0f854578679f64dc518a84f609912c2
SHA512644f4c60bef44730c8dc050c52a56830a33d3e27c7f2252746a9196d712475667d2d569d53f34d86134433d8ee623783556e93f230f8c18ea226e443d6cc07e8