Analysis

  • max time kernel
    114s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/03/2024, 17:56 UTC

General

  • Target

    2024-03-29_bfb12bc505ca7736641758ac7b36758b_cryptolocker.exe

  • Size

    64KB

  • MD5

    bfb12bc505ca7736641758ac7b36758b

  • SHA1

    40386403a0552097580e60ceb22506c92d24d65e

  • SHA256

    12dd746c4fb22315953508e7e85a0702c088607682e8da266f41379dc7d46e71

  • SHA512

    72e8dc462484cc7579a573148c0eeb837fae61d89883ed5bb796b0d51c429e5cdd3c579db04aea3984194e7bfbb286a82cd3e09375723ad5fa9b29509b511df3

  • SSDEEP

    768:6Qz7yVEhs9+4OR7tOOtEvwDpjLHqPOYRmNxt5I52kGEMpf:6j+1NMOtEvwDpjr8ox8UDEI

Score
9/10

Malware Config

Signatures

  • Detection of CryptoLocker Variants 4 IoCs
  • Detection of Cryptolocker Samples 4 IoCs
  • Detects executables built or packed with MPress PE compressor 4 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies system certificate store 2 TTPs 8 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-03-29_bfb12bc505ca7736641758ac7b36758b_cryptolocker.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-03-29_bfb12bc505ca7736641758ac7b36758b_cryptolocker.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1412
    • C:\Users\Admin\AppData\Local\Temp\misid.exe
      "C:\Users\Admin\AppData\Local\Temp\misid.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Modifies system certificate store
      PID:4128
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4484 --field-trial-handle=2272,i,17338911640954948469,1637568328132129119,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:2292

    Network

    • flag-us
      DNS
      217.106.137.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      217.106.137.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      41.134.221.88.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      41.134.221.88.in-addr.arpa
      IN PTR
      Response
      41.134.221.88.in-addr.arpa
      IN PTR
      a88-221-134-41deploystaticakamaitechnologiescom
    • flag-us
      DNS
      bestccc.com
      misid.exe
      Remote address:
      8.8.8.8:53
      Request
      bestccc.com
      IN A
      Response
      bestccc.com
      IN A
      103.14.121.240
    • flag-in
      GET
      https://bestccc.com/hr/ho2.exe
      misid.exe
      Remote address:
      103.14.121.240:443
      Request
      GET /hr/ho2.exe HTTP/1.1
      Accept: text/*, application/*
      User-Agent: Updates downloader
      Host: bestccc.com
      Cache-Control: no-cache
      Response
      HTTP/1.1 404 Not Found
      Date: Fri, 29 Mar 2024 17:55:46 GMT
      Server: Apache/2
      Content-Length: 315
      Content-Type: text/html; charset=iso-8859-1
    • flag-us
      DNS
      crl.comodoca.com
      misid.exe
      Remote address:
      8.8.8.8:53
      Request
      crl.comodoca.com
      IN A
      Response
      crl.comodoca.com
      IN CNAME
      crl.comodoca.com.cdn.cloudflare.net
      crl.comodoca.com.cdn.cloudflare.net
      IN A
      172.64.149.23
      crl.comodoca.com.cdn.cloudflare.net
      IN A
      104.18.38.233
    • flag-us
      GET
      http://crl.comodoca.com/cPanelIncCertificationAuthority.crl
      misid.exe
      Remote address:
      172.64.149.23:80
      Request
      GET /cPanelIncCertificationAuthority.crl HTTP/1.1
      Connection: Keep-Alive
      Accept: */*
      User-Agent: Microsoft-CryptoAPI/10.0
      Host: crl.comodoca.com
      Response
      HTTP/1.1 200 OK
      Date: Fri, 29 Mar 2024 17:57:06 GMT
      Content-Type: application/pkix-crl
      Content-Length: 62039
      Connection: keep-alive
      Last-Modified: Fri, 29 Mar 2024 07:15:18 GMT
      Expires: Fri, 05 Apr 2024 07:15:18 GMT
      Etag: "8aef5893a69360fbf48aa7a74985d66523a4a2dc"
      Cache-Control: max-age=600425,s-maxage=3600,public,no-transform,must-revalidate
      X-CCACDN-Proxy-ID: mcdpinlb2
      X-Frame-Options: SAMEORIGIN
      CF-Cache-Status: HIT
      Age: 2970
      Accept-Ranges: bytes
      Server: cloudflare
      CF-RAY: 86c1bd899b6e63c0-LHR
    • flag-us
      DNS
      240.121.14.103.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      240.121.14.103.in-addr.arpa
      IN PTR
      Response
      240.121.14.103.in-addr.arpa
      IN PTR
      10314121240-static-reversegooddomainregistrycom
    • flag-us
      DNS
      23.159.190.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      23.159.190.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      218.135.221.88.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      218.135.221.88.in-addr.arpa
      IN PTR
      Response
      218.135.221.88.in-addr.arpa
      IN PTR
      a88-221-135-218deploystaticakamaitechnologiescom
    • flag-us
      DNS
      233.38.18.104.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      233.38.18.104.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      23.149.64.172.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      23.149.64.172.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      104.219.191.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      104.219.191.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      196.249.167.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      196.249.167.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      43.229.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      43.229.111.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      26.165.165.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      26.165.165.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      15.164.165.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      15.164.165.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      217.135.221.88.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      217.135.221.88.in-addr.arpa
      IN PTR
      Response
      217.135.221.88.in-addr.arpa
      IN PTR
      a88-221-135-217deploystaticakamaitechnologiescom
    • flag-us
      DNS
      chromewebstore.googleapis.com
      Remote address:
      8.8.8.8:53
      Request
      chromewebstore.googleapis.com
      IN A
      Response
      chromewebstore.googleapis.com
      IN A
      142.250.185.106
      chromewebstore.googleapis.com
      IN A
      142.250.185.138
      chromewebstore.googleapis.com
      IN A
      142.250.185.170
      chromewebstore.googleapis.com
      IN A
      142.250.185.202
      chromewebstore.googleapis.com
      IN A
      142.250.185.234
      chromewebstore.googleapis.com
      IN A
      142.250.184.234
      chromewebstore.googleapis.com
      IN A
      216.58.206.74
      chromewebstore.googleapis.com
      IN A
      142.250.181.234
      chromewebstore.googleapis.com
      IN A
      142.250.186.42
      chromewebstore.googleapis.com
      IN A
      142.250.186.74
      chromewebstore.googleapis.com
      IN A
      172.217.16.138
      chromewebstore.googleapis.com
      IN A
      216.58.212.170
      chromewebstore.googleapis.com
      IN A
      142.250.74.202
      chromewebstore.googleapis.com
      IN A
      142.250.184.202
      chromewebstore.googleapis.com
      IN A
      172.217.18.10
      chromewebstore.googleapis.com
      IN A
      142.250.186.106
    • flag-us
      DNS
      chromewebstore.googleapis.com
      Remote address:
      8.8.8.8:53
      Request
      chromewebstore.googleapis.com
      IN Unknown
      Response
    • flag-us
      DNS
      pki.goog
      Remote address:
      8.8.8.8:53
      Request
      pki.goog
      IN A
      Response
      pki.goog
      IN A
      216.239.32.29
    • flag-us
      DNS
      pki.goog
      Remote address:
      8.8.8.8:53
      Request
      pki.goog
      IN Unknown
      Response
    • flag-us
      GET
      http://pki.goog/gsr1/gsr1.crt
      Remote address:
      216.239.32.29:80
      Request
      GET /gsr1/gsr1.crt HTTP/1.1
      Host: pki.goog
      Connection: keep-alive
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Edg/122.0.0.0
      Accept-Encoding: gzip, deflate
      Accept-Language: en-US,en;q=0.9
      Response
      HTTP/1.1 200 OK
      Accept-Ranges: bytes
      Content-Encoding: gzip
      Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
      Cross-Origin-Resource-Policy: cross-origin
      Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
      Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
      Content-Length: 797
      X-Content-Type-Options: nosniff
      Server: sffe
      X-XSS-Protection: 0
      Date: Fri, 29 Mar 2024 17:16:50 GMT
      Expires: Fri, 29 Mar 2024 18:06:50 GMT
      Cache-Control: public, max-age=3000
      Age: 2447
      Last-Modified: Wed, 20 May 2020 16:45:00 GMT
      Content-Type: application/pkix-cert
      Vary: Accept-Encoding
    • flag-us
      GET
      http://pki.goog/repo/certs/gtsr1.der
      Remote address:
      216.239.32.29:80
      Request
      GET /repo/certs/gtsr1.der HTTP/1.1
      Host: pki.goog
      Connection: keep-alive
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Edg/122.0.0.0
      Accept-Encoding: gzip, deflate
      Accept-Language: en-US,en;q=0.9
      Response
      HTTP/1.1 200 OK
      Accept-Ranges: bytes
      Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
      Cross-Origin-Resource-Policy: cross-origin
      Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
      Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
      Content-Length: 1371
      X-Content-Type-Options: nosniff
      Server: sffe
      X-XSS-Protection: 0
      Date: Fri, 29 Mar 2024 17:55:28 GMT
      Expires: Fri, 29 Mar 2024 18:45:28 GMT
      Cache-Control: public, max-age=3000
      Age: 129
      Last-Modified: Sun, 25 Jun 2023 02:58:00 GMT
      Content-Type: application/pkix-cert
      Vary: Accept-Encoding
    • flag-us
      GET
      http://pki.goog/repo/certs/gts1c3.der
      Remote address:
      216.239.32.29:80
      Request
      GET /repo/certs/gts1c3.der HTTP/1.1
      Host: pki.goog
      Connection: keep-alive
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Edg/122.0.0.0
      Accept-Encoding: gzip, deflate
      Accept-Language: en-US,en;q=0.9
      Response
      HTTP/1.1 200 OK
      Accept-Ranges: bytes
      Content-Encoding: gzip
      Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
      Cross-Origin-Resource-Policy: cross-origin
      Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
      Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
      Content-Length: 1304
      X-Content-Type-Options: nosniff
      Server: sffe
      X-XSS-Protection: 0
      Date: Fri, 29 Mar 2024 17:07:55 GMT
      Expires: Fri, 29 Mar 2024 17:57:55 GMT
      Cache-Control: public, max-age=3000
      Age: 2982
      Last-Modified: Mon, 17 Aug 2020 09:45:00 GMT
      Content-Type: application/pkix-cert
      Vary: Accept-Encoding
    • flag-us
      DNS
      106.185.250.142.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      106.185.250.142.in-addr.arpa
      IN PTR
      Response
      106.185.250.142.in-addr.arpa
      IN PTR
      fra16s49-in-f101e100net
    • flag-us
      DNS
      29.32.239.216.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      29.32.239.216.in-addr.arpa
      IN PTR
      Response
      29.32.239.216.in-addr.arpa
      IN PTR
      any-in-201d1e100net
    • flag-us
      DNS
      219.135.221.88.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      219.135.221.88.in-addr.arpa
      IN PTR
      Response
      219.135.221.88.in-addr.arpa
      IN PTR
      a88-221-135-219deploystaticakamaitechnologiescom
    • 20.231.121.79:80
      46 B
      1
    • 103.14.121.240:443
      https://bestccc.com/hr/ho2.exe
      tls, http
      misid.exe
      1.1kB
      5.9kB
      15
      11

      HTTP Request

      GET https://bestccc.com/hr/ho2.exe

      HTTP Response

      404
    • 172.64.149.23:80
      http://crl.comodoca.com/cPanelIncCertificationAuthority.crl
      http
      misid.exe
      1.4kB
      64.5kB
      28
      49

      HTTP Request

      GET http://crl.comodoca.com/cPanelIncCertificationAuthority.crl

      HTTP Response

      200
    • 13.107.246.64:443
      46 B
      40 B
      1
      1
    • 142.250.185.106:443
      chromewebstore.googleapis.com
      tls
      941 B
      5.2kB
      8
      8
    • 216.239.32.29:80
      http://pki.goog/repo/certs/gts1c3.der
      http
      1.3kB
      6.1kB
      10
      11

      HTTP Request

      GET http://pki.goog/gsr1/gsr1.crt

      HTTP Response

      200

      HTTP Request

      GET http://pki.goog/repo/certs/gtsr1.der

      HTTP Response

      200

      HTTP Request

      GET http://pki.goog/repo/certs/gts1c3.der

      HTTP Response

      200
    • 8.8.8.8:53
      217.106.137.52.in-addr.arpa
      dns
      73 B
      147 B
      1
      1

      DNS Request

      217.106.137.52.in-addr.arpa

    • 8.8.8.8:53
      41.134.221.88.in-addr.arpa
      dns
      72 B
      137 B
      1
      1

      DNS Request

      41.134.221.88.in-addr.arpa

    • 8.8.8.8:53
      bestccc.com
      dns
      misid.exe
      57 B
      73 B
      1
      1

      DNS Request

      bestccc.com

      DNS Response

      103.14.121.240

    • 8.8.8.8:53
      crl.comodoca.com
      dns
      misid.exe
      62 B
      143 B
      1
      1

      DNS Request

      crl.comodoca.com

      DNS Response

      172.64.149.23
      104.18.38.233

    • 8.8.8.8:53
      240.121.14.103.in-addr.arpa
      dns
      73 B
      139 B
      1
      1

      DNS Request

      240.121.14.103.in-addr.arpa

    • 8.8.8.8:53
      23.159.190.20.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      23.159.190.20.in-addr.arpa

    • 8.8.8.8:53
      218.135.221.88.in-addr.arpa
      dns
      73 B
      139 B
      1
      1

      DNS Request

      218.135.221.88.in-addr.arpa

    • 8.8.8.8:53
      233.38.18.104.in-addr.arpa
      dns
      72 B
      134 B
      1
      1

      DNS Request

      233.38.18.104.in-addr.arpa

    • 8.8.8.8:53
      23.149.64.172.in-addr.arpa
      dns
      72 B
      134 B
      1
      1

      DNS Request

      23.149.64.172.in-addr.arpa

    • 8.8.8.8:53
      104.219.191.52.in-addr.arpa
      dns
      73 B
      147 B
      1
      1

      DNS Request

      104.219.191.52.in-addr.arpa

    • 8.8.8.8:53
      196.249.167.52.in-addr.arpa
      dns
      73 B
      147 B
      1
      1

      DNS Request

      196.249.167.52.in-addr.arpa

    • 8.8.8.8:53
      43.229.111.52.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      43.229.111.52.in-addr.arpa

    • 8.8.8.8:53
      26.165.165.52.in-addr.arpa
      dns
      72 B
      146 B
      1
      1

      DNS Request

      26.165.165.52.in-addr.arpa

    • 8.8.8.8:53
      15.164.165.52.in-addr.arpa
      dns
      72 B
      146 B
      1
      1

      DNS Request

      15.164.165.52.in-addr.arpa

    • 8.8.8.8:53
      217.135.221.88.in-addr.arpa
      dns
      73 B
      139 B
      1
      1

      DNS Request

      217.135.221.88.in-addr.arpa

    • 8.8.8.8:53
      chromewebstore.googleapis.com
      dns
      75 B
      331 B
      1
      1

      DNS Request

      chromewebstore.googleapis.com

      DNS Response

      142.250.185.106
      142.250.185.138
      142.250.185.170
      142.250.185.202
      142.250.185.234
      142.250.184.234
      216.58.206.74
      142.250.181.234
      142.250.186.42
      142.250.186.74
      172.217.16.138
      216.58.212.170
      142.250.74.202
      142.250.184.202
      172.217.18.10
      142.250.186.106

    • 8.8.8.8:53
      chromewebstore.googleapis.com
      dns
      75 B
      132 B
      1
      1

      DNS Request

      chromewebstore.googleapis.com

    • 8.8.8.8:53
      pki.goog
      dns
      54 B
      70 B
      1
      1

      DNS Request

      pki.goog

      DNS Response

      216.239.32.29

    • 8.8.8.8:53
      pki.goog
      dns
      54 B
      128 B
      1
      1

      DNS Request

      pki.goog

    • 8.8.8.8:53
      106.185.250.142.in-addr.arpa
      dns
      74 B
      113 B
      1
      1

      DNS Request

      106.185.250.142.in-addr.arpa

    • 8.8.8.8:53
      29.32.239.216.in-addr.arpa
      dns
      72 B
      107 B
      1
      1

      DNS Request

      29.32.239.216.in-addr.arpa

    • 8.8.8.8:53
      219.135.221.88.in-addr.arpa
      dns
      73 B
      139 B
      1
      1

      DNS Request

      219.135.221.88.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\misid.exe

      Filesize

      64KB

      MD5

      d6669ac16d0906a3749e3f9579686295

      SHA1

      ad46c28f2ab888c806b39f3c215b74b24a9e61e2

      SHA256

      dd7082697e9f668608062fe6a2f57340899afef87d1003134659974f309afb49

      SHA512

      4e7651402ef1a48a173e12bacbdbe3e91d6ad804b4ff64f11c67cacb818403b7f8d7f4971b5aee6ef7cacff7a848130a064ad3810606b30747059bfd86efe487

    • C:\Users\Admin\AppData\Local\Temp\misids.exe

      Filesize

      315B

      MD5

      a34ac19f4afae63adc5d2f7bc970c07f

      SHA1

      a82190fc530c265aa40a045c21770d967f4767b8

      SHA256

      d5a89e26beae0bc03ad18a0b0d1d3d75f87c32047879d25da11970cb5c4662a3

      SHA512

      42e53d96e5961e95b7a984d9c9778a1d3bd8ee0c87b8b3b515fa31f67c2d073c8565afc2f4b962c43668c4efa1e478da9bb0ecffa79479c7e880731bc4c55765

    • memory/1412-0-0x0000000000500000-0x000000000050F000-memory.dmp

      Filesize

      60KB

    • memory/1412-1-0x00000000004D0000-0x00000000004D6000-memory.dmp

      Filesize

      24KB

    • memory/1412-2-0x00000000004D0000-0x00000000004D6000-memory.dmp

      Filesize

      24KB

    • memory/1412-3-0x00000000004F0000-0x00000000004F6000-memory.dmp

      Filesize

      24KB

    • memory/1412-17-0x0000000000500000-0x000000000050F000-memory.dmp

      Filesize

      60KB

    • memory/4128-19-0x0000000002080000-0x0000000002086000-memory.dmp

      Filesize

      24KB

    • memory/4128-21-0x0000000000520000-0x0000000000526000-memory.dmp

      Filesize

      24KB

    • memory/4128-48-0x0000000000500000-0x000000000050F000-memory.dmp

      Filesize

      60KB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.