Overview

overview

10

Static

static

10

2024-06-04...er.exe

windows7-x64

9

2024-06-04...er.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    143s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/06/2024, 11:44 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-06-04_7ee115d1d3915533137e3688e5dcc994_cryptolocker.exe

  • Size

    37KB

  • MD5

    7ee115d1d3915533137e3688e5dcc994

  • SHA1

    a00baf1064e9a43bf93dbeeaf63aede5fa02eb2c

  • SHA256

    2b65627e3246deb37adcf6dd3eaf2199d5e8c42e6a52ab46e23410652eb5e001

  • SHA512

    d1f726c7f6f90c1da0306353af0e12dc2cf1f097b65d37f2c88c24e913fbefe8ca16d20cfe996280e3283b929b75296ceaff82f4f80ac07b9f9d830d3cfa76f1

  • SSDEEP

    768:fTz7y3lhsT+hs1SQtOOtEvwDpjfAu9+4PE:fT+hsMQMOtEvwDpjoIHM

Score
9/10

Malware Config

Signatures

  • Detection of CryptoLocker Variants 1 IoCs
  • Detection of Cryptolocker Samples 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies system certificate store 2 TTPs 8 IoCs
    evasionspywaretrojan
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-04_7ee115d1d3915533137e3688e5dcc994_cryptolocker.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-04_7ee115d1d3915533137e3688e5dcc994_cryptolocker.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:844
    • C:\Users\Admin\AppData\Local\Temp\misid.exe
      "C:\Users\Admin\AppData\Local\Temp\misid.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Modifies system certificate store
      PID:496
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3280 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:4984

    Network

    • flag-us
      DNS
      133.211.185.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      133.211.185.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      bestccc.com
      misid.exe
      Remote address:
      8.8.8.8:53
      Request
      bestccc.com
      IN A
      Response
      bestccc.com
      IN A
      103.91.187.97
    • flag-us
      DNS
      240.221.184.93.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      240.221.184.93.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      97.187.91.103.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      97.187.91.103.in-addr.arpa
      IN PTR
      Response
      97.187.91.103.in-addr.arpa
      IN PTR
      1039118797-static-reversegdrnetin
    • flag-us
      DNS
      crl.comodoca.com
      misid.exe
      Remote address:
      8.8.8.8:53
      Request
      crl.comodoca.com
      IN A
      Response
      crl.comodoca.com
      IN CNAME
      crl.comodoca.com.cdn.cloudflare.net
      crl.comodoca.com.cdn.cloudflare.net
      IN A
      172.64.149.23
      crl.comodoca.com.cdn.cloudflare.net
      IN A
      104.18.38.233
    • flag-us
      GET
      http://crl.comodoca.com/cPanelIncCertificationAuthority.crl
      misid.exe
      Remote address:
      172.64.149.23:80
      Request
      GET /cPanelIncCertificationAuthority.crl HTTP/1.1
      Connection: Keep-Alive
      Accept: */*
      User-Agent: Microsoft-CryptoAPI/10.0
      Host: crl.comodoca.com
      Response
      HTTP/1.1 200 OK
      Date: Tue, 04 Jun 2024 11:45:33 GMT
      Content-Type: application/pkix-crl
      Content-Length: 64813
      Connection: keep-alive
      Last-Modified: Mon, 03 Jun 2024 11:25:03 GMT
      Expires: Mon, 10 Jun 2024 11:25:03 GMT
      Etag: "b2d69040631bec2f53a525621b9251654cf36de2"
      Cache-Control: max-age=603421,s-maxage=3600,public,no-transform,must-revalidate
      X-CCACDN-Proxy-ID: mcdpinlb3
      X-Frame-Options: SAMEORIGIN
      CF-Cache-Status: HIT
      Age: 3519
      Accept-Ranges: bytes
      Server: cloudflare
      CF-RAY: 88e7ad65b89b942a-LHR
    • flag-us
      DNS
      69.31.126.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      69.31.126.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      233.38.18.104.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      233.38.18.104.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      23.149.64.172.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      23.149.64.172.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      183.142.211.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      183.142.211.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      228.249.119.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      228.249.119.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      50.23.12.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      50.23.12.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      198.187.3.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      198.187.3.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      164.189.21.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      164.189.21.2.in-addr.arpa
      IN PTR
      Response
      164.189.21.2.in-addr.arpa
      IN PTR
      a2-21-189-164deploystaticakamaitechnologiescom
    • flag-us
      DNS
      27.173.189.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      27.173.189.20.in-addr.arpa
      IN PTR
      Response
    • 142.250.178.10:443
      46 B
       40 B
       1
      1
    • 103.91.187.97:443
      bestccc.com
      tls
      misid.exe
      1.0kB
       5.7kB
       13
      9
    • 172.64.149.23:80
      http://crl.comodoca.com/cPanelIncCertificationAuthority.crl
      http
      misid.exe
      1.5kB
       67.4kB
       29
      51

      HTTP Request

      GET http://crl.comodoca.com/cPanelIncCertificationAuthority.crl

      HTTP Response

      200
    • 23.44.234.16:80
      260 B
       5
    • 13.107.253.64:443
      46 B
       40 B
       1
      1
    • 8.8.8.8:53
      133.211.185.52.in-addr.arpa
      dns
      73 B
       147 B
       1
      1

      DNS Request

      133.211.185.52.in-addr.arpa

    • 8.8.8.8:53
      bestccc.com
      dns
      misid.exe
      57 B
       73 B
       1
      1

      DNS Request

      bestccc.com

      DNS Response

      103.91.187.97

    • 8.8.8.8:53
      240.221.184.93.in-addr.arpa
      dns
      73 B
       144 B
       1
      1

      DNS Request

      240.221.184.93.in-addr.arpa

    • 8.8.8.8:53
      97.187.91.103.in-addr.arpa
      dns
      72 B
       125 B
       1
      1

      DNS Request

      97.187.91.103.in-addr.arpa

    • 8.8.8.8:53
      crl.comodoca.com
      dns
      misid.exe
      62 B
       143 B
       1
      1

      DNS Request

      crl.comodoca.com

      DNS Response

      172.64.149.23
      104.18.38.233

    • 8.8.8.8:53
      69.31.126.40.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      69.31.126.40.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
       144 B
       1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      233.38.18.104.in-addr.arpa
      dns
      72 B
       134 B
       1
      1

      DNS Request

      233.38.18.104.in-addr.arpa

    • 8.8.8.8:53
      23.149.64.172.in-addr.arpa
      dns
      72 B
       134 B
       1
      1

      DNS Request

      23.149.64.172.in-addr.arpa

    • 8.8.8.8:53
      183.142.211.20.in-addr.arpa
      dns
      73 B
       159 B
       1
      1

      DNS Request

      183.142.211.20.in-addr.arpa

    • 8.8.8.8:53
      228.249.119.40.in-addr.arpa
      dns
      73 B
       159 B
       1
      1

      DNS Request

      228.249.119.40.in-addr.arpa

    • 8.8.8.8:53
      50.23.12.20.in-addr.arpa
      dns
      70 B
       156 B
       1
      1

      DNS Request

      50.23.12.20.in-addr.arpa

    • 8.8.8.8:53
      198.187.3.20.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      198.187.3.20.in-addr.arpa

    • 8.8.8.8:53
      164.189.21.2.in-addr.arpa
      dns
      71 B
       135 B
       1
      1

      DNS Request

      164.189.21.2.in-addr.arpa

    • 8.8.8.8:53
      27.173.189.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      27.173.189.20.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\misid.exe
      Filesize

      37KB

      MD5

      70bbb48fe0737590e24e6d0e3837e674

      SHA1

      b2fac34b76090d2a07e5bb9c9c5c69f1bc86b9ce

      SHA256

      5dd9504af27efb136ed85b45c57b3d2ea4fbbd789349b620627f5914823e18f1

      SHA512

      5eece152d1b2890c3a74b3cd0ab1bd34ca064796b6914ef75ad290eb2d735769f3652834f125e066c67584cd1835301f4834491d74cb637cf7a1adbe035fd81c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\misids.exe
      Filesize

      315B

      MD5

      a34ac19f4afae63adc5d2f7bc970c07f

      SHA1

      a82190fc530c265aa40a045c21770d967f4767b8

      SHA256

      d5a89e26beae0bc03ad18a0b0d1d3d75f87c32047879d25da11970cb5c4662a3

      SHA512

      42e53d96e5961e95b7a984d9c9778a1d3bd8ee0c87b8b3b515fa31f67c2d073c8565afc2f4b962c43668c4efa1e478da9bb0ecffa79479c7e880731bc4c55765

      Download Submit

    • memory/496-17-0x0000000000740000-0x0000000000746000-memory.dmp

      Filesize

      24KB

      Download

    • memory/496-18-0x0000000000760000-0x0000000000766000-memory.dmp

      Filesize

      24KB

      Download

    • memory/844-0-0x00000000004D0000-0x00000000004D6000-memory.dmp

      Filesize

      24KB

      Download

    • memory/844-1-0x00000000004D0000-0x00000000004D6000-memory.dmp

      Filesize

      24KB

      Download

    • memory/844-2-0x00000000004F0000-0x00000000004F6000-memory.dmp

      Filesize

      24KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.