0fe5f1b55b7b392b779455610e7d0e54772c018820c81f59009d86d4d92d753d

Analysis

max time kernel
149s
max time network
152s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
14/03/2024, 11:27 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-14_161be7c05b98643e2ebde20b31838b88_cryptolocker.exe
Size

75KB
MD5

161be7c05b98643e2ebde20b31838b88
SHA1

3e6d149a1cd99b248d34cac6ff3a62508427277f
SHA256

0fe5f1b55b7b392b779455610e7d0e54772c018820c81f59009d86d4d92d753d
SHA512

fc3533bdbf3d538a4d2c3d03027b97b52e6cf234be31ca77b97c0a83590b73ca237dbbffb71d86dd161a8ad6db756b891e6b4f98db3181c5f1215c3efe894ff4
SSDEEP

1536:ZzFbxmLPWQMOtEvwDpj386Sj/WprgJN6tZdOyJ3KusBy:ZVxkGOtEvwDpjcan

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x000c0000000122c3-10.dat	CryptoLocker_rule2

Executes dropped EXE 1 IoCs

pid	Process
1640	misid.exe

Loads dropped DLL 1 IoCs

pid	Process
2364	2024-03-14_161be7c05b98643e2ebde20b31838b88_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 1640	2364	2024-03-14_161be7c05b98643e2ebde20b31838b88_cryptolocker.exe	28
PID 2364 wrote to memory of 1640	2364	2024-03-14_161be7c05b98643e2ebde20b31838b88_cryptolocker.exe	28
PID 2364 wrote to memory of 1640	2364	2024-03-14_161be7c05b98643e2ebde20b31838b88_cryptolocker.exe	28
PID 2364 wrote to memory of 1640	2364	2024-03-14_161be7c05b98643e2ebde20b31838b88_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-03-14_161be7c05b98643e2ebde20b31838b88_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-14_161be7c05b98643e2ebde20b31838b88_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Users\Admin\AppData\Local\Temp\misid.exe
  "C:\Users\Admin\AppData\Local\Temp\misid.exe"
  2⤵
  - Executes dropped EXE
  PID:1640

Network

DNS

bestccc.com

misid.exe

Remote address:

8.8.8.8:53

Request

bestccc.com

IN A

Response

bestccc.com

IN A

103.14.121.240

103.14.121.240:443

bestccc.com

misid.exe

152 B
3
103.14.121.240:443

bestccc.com

misid.exe

152 B
3
103.14.121.240:443

bestccc.com

misid.exe

152 B
3
103.14.121.240:443

bestccc.com

misid.exe

152 B
3
103.14.121.240:443

bestccc.com

misid.exe

152 B
3
103.14.121.240:443

bestccc.com

misid.exe

152 B
3
103.14.121.240:443

bestccc.com

misid.exe

152 B
3
103.14.121.240:443

bestccc.com

misid.exe

52 B
1

8.8.8.8:53

bestccc.com

dns

misid.exe

57 B
73 B
1
1

DNS Request

bestccc.com

DNS Response

103.14.121.240

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\misid.exe

Filesize
76KB

MD5
dd8f9fb9ff09e3578f26b2a3588269dd

SHA1
dd77d29db5bcb7714ba5608c2dbbe6772bca2363

SHA256
afe6658088c73430e07cfd3a80a0c61179fa032bba6d0db21fbd1b01ed2269fa

SHA512
7c2eb7dd0d8b89802e56b70ebaf244d68fa2144206201be80167a2ae0c1395d042e5250497379cecfddb8ba044d2a2eeb2a91fca88571b987fbbb080b643b827

Download Submit
memory/1640-14-0x00000000001D0000-0x00000000001D6000-memory.dmp

Filesize
24KB

Download
memory/1640-16-0x0000000000450000-0x0000000000456000-memory.dmp

Filesize
24KB

Download
memory/1640-20-0x0000000000420000-0x0000000000426000-memory.dmp

Filesize
24KB

Download
memory/2364-0-0x00000000001D0000-0x00000000001D6000-memory.dmp

Filesize
24KB

Download
memory/2364-1-0x0000000000200000-0x0000000000206000-memory.dmp

Filesize
24KB

Download
memory/2364-8-0x00000000001D0000-0x00000000001D6000-memory.dmp

Filesize
24KB

Download