Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    0s
  • max time network
    160s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/06/2024, 02:25 UTC

General

  • Target

    2024-06-10_ffb5e536307cf11067f864e3833217db_cryptolocker.exe

  • Size

    49KB

  • MD5

    ffb5e536307cf11067f864e3833217db

  • SHA1

    9bbe338b2297d33cba61a7053ff5800e31d2f2c7

  • SHA256

    1438c035b7bd29cf71ae2eb3728474d47224d4baf18bc0c36e66653947860abd

  • SHA512

    17bd4cf5c201b33155702bd839effefa8958c5381af8b2a535aa2650af522afe9ae9d4e7f82c6d9a0e6d7307dfd1733290cd47e75caece1d96f817d98ea8c7e6

  • SSDEEP

    768:xQz7yVEhs9+4uR1bytOOtEvwDpjWE6BLbjG9RzhwaRhAEFo:xj+VGMOtEvwDpjy+TRhxu

Score
9/10

Malware Config

Signatures

  • Detection of CryptoLocker Variants 4 IoCs
  • Detection of Cryptolocker Samples 4 IoCs
  • Detects executables built or packed with MPress PE compressor 4 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-10_ffb5e536307cf11067f864e3833217db_cryptolocker.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-10_ffb5e536307cf11067f864e3833217db_cryptolocker.exe"
    1⤵
    • Checks computer location settings
    PID:4404
    • C:\Users\Admin\AppData\Local\Temp\misid.exe
      "C:\Users\Admin\AppData\Local\Temp\misid.exe"
      2⤵
        PID:912

    Network

    • flag-us
      DNS
      209.205.72.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      209.205.72.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      bestccc.com
      Remote address:
      8.8.8.8:53
      Request
      bestccc.com
      IN A
      Response
      bestccc.com
      IN A
      103.91.187.97
    • flag-us
      DNS
      203.107.17.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      203.107.17.2.in-addr.arpa
      IN PTR
      Response
      203.107.17.2.in-addr.arpa
      IN PTR
      a2-17-107-203deploystaticakamaitechnologiescom
    • flag-us
      DNS
      crl.comodoca.com
      Remote address:
      8.8.8.8:53
      Request
      crl.comodoca.com
      IN A
      Response
      crl.comodoca.com
      IN CNAME
      crl.comodoca.com.cdn.cloudflare.net
      crl.comodoca.com.cdn.cloudflare.net
      IN A
      172.64.149.23
      crl.comodoca.com.cdn.cloudflare.net
      IN A
      104.18.38.233
    • flag-us
      GET
      http://crl.comodoca.com/cPanelIncCertificationAuthority.crl
      Remote address:
      172.64.149.23:80
      Request
      GET /cPanelIncCertificationAuthority.crl HTTP/1.1
      Connection: Keep-Alive
      Accept: */*
      User-Agent: Microsoft-CryptoAPI/10.0
      Host: crl.comodoca.com
      Response
      HTTP/1.1 200 OK
      Date: Mon, 10 Jun 2024 02:34:16 GMT
      Content-Type: application/pkix-crl
      Content-Length: 65440
      Connection: keep-alive
      Last-Modified: Sun, 09 Jun 2024 05:27:42 GMT
      Expires: Sun, 16 Jun 2024 05:27:42 GMT
      Etag: "28ed2d44100a567a83419eb650a92b663924e28b"
      Cache-Control: max-age=602265,s-maxage=3600,public,no-transform,must-revalidate
      X-CCACDN-Proxy-ID: mcdpinlb4
      X-Frame-Options: SAMEORIGIN
      CF-Cache-Status: HIT
      Age: 655
      Accept-Ranges: bytes
      Server: cloudflare
      CF-RAY: 8915f61f2b6a76f5-LHR
    • flag-us
      DNS
      136.32.126.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      136.32.126.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      23.149.64.172.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      23.149.64.172.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      97.187.91.103.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      97.187.91.103.in-addr.arpa
      IN PTR
      Response
      97.187.91.103.in-addr.arpa
      IN PTR
      1039118797-static-reversegdrnetin
    • flag-us
      DNS
      157.123.68.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      157.123.68.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      206.23.85.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      206.23.85.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      31.121.18.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      31.121.18.2.in-addr.arpa
      IN PTR
      Response
      31.121.18.2.in-addr.arpa
      IN PTR
      a2-18-121-31deploystaticakamaitechnologiescom
    • flag-us
      DNS
      144.107.17.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      144.107.17.2.in-addr.arpa
      IN PTR
      Response
      144.107.17.2.in-addr.arpa
      IN PTR
      a2-17-107-144deploystaticakamaitechnologiescom
    • flag-us
      DNS
      21.236.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      21.236.111.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      14.179.89.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      14.179.89.13.in-addr.arpa
      IN PTR
      Response
    • 103.91.187.97:443
      bestccc.com
      tls
      1.0kB
      5.7kB
      13
      9
    • 172.64.149.23:80
      http://crl.comodoca.com/cPanelIncCertificationAuthority.crl
      http
      1.5kB
      68.0kB
      29
      51

      HTTP Request

      GET http://crl.comodoca.com/cPanelIncCertificationAuthority.crl

      HTTP Response

      200
    • 52.142.223.178:80
      46 B
      1
    • 8.8.8.8:53
      209.205.72.20.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      209.205.72.20.in-addr.arpa

    • 8.8.8.8:53
      bestccc.com
      dns
      57 B
      73 B
      1
      1

      DNS Request

      bestccc.com

      DNS Response

      103.91.187.97

    • 8.8.8.8:53
      203.107.17.2.in-addr.arpa
      dns
      71 B
      135 B
      1
      1

      DNS Request

      203.107.17.2.in-addr.arpa

    • 8.8.8.8:53
      crl.comodoca.com
      dns
      62 B
      143 B
      1
      1

      DNS Request

      crl.comodoca.com

      DNS Response

      172.64.149.23
      104.18.38.233

    • 8.8.8.8:53
      136.32.126.40.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      136.32.126.40.in-addr.arpa

    • 8.8.8.8:53
      23.149.64.172.in-addr.arpa
      dns
      72 B
      134 B
      1
      1

      DNS Request

      23.149.64.172.in-addr.arpa

    • 8.8.8.8:53
      97.187.91.103.in-addr.arpa
      dns
      72 B
      125 B
      1
      1

      DNS Request

      97.187.91.103.in-addr.arpa

    • 8.8.8.8:53
      157.123.68.40.in-addr.arpa
      dns
      72 B
      146 B
      1
      1

      DNS Request

      157.123.68.40.in-addr.arpa

    • 8.8.8.8:53
      206.23.85.13.in-addr.arpa
      dns
      71 B
      145 B
      1
      1

      DNS Request

      206.23.85.13.in-addr.arpa

    • 8.8.8.8:53
      31.121.18.2.in-addr.arpa
      dns
      70 B
      133 B
      1
      1

      DNS Request

      31.121.18.2.in-addr.arpa

    • 8.8.8.8:53
      144.107.17.2.in-addr.arpa
      dns
      71 B
      135 B
      1
      1

      DNS Request

      144.107.17.2.in-addr.arpa

    • 8.8.8.8:53
      21.236.111.52.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      21.236.111.52.in-addr.arpa

    • 8.8.8.8:53
      14.179.89.13.in-addr.arpa
      dns
      71 B
      145 B
      1
      1

      DNS Request

      14.179.89.13.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\misid.exe

      Filesize

      49KB

      MD5

      b36259ad63ebb94ef8f6480cff491452

      SHA1

      810e4c51aeb8284efb08b3d12f0a229bf8ec97e0

      SHA256

      e1832ac2af83851f70e2563f9fd6479aec601c81e6173ff8ef7da0a62b652a1d

      SHA512

      9fe6fa35b3b48c21fe1fe6206d9ad84e7dd5fd88374d74428d8868bf2110643c87b55da588d147917e7f0562752d826e336a66c400628507f30e2d0f5d66ef90

    • C:\Users\Admin\AppData\Local\Temp\misids.exe

      Filesize

      315B

      MD5

      a34ac19f4afae63adc5d2f7bc970c07f

      SHA1

      a82190fc530c265aa40a045c21770d967f4767b8

      SHA256

      d5a89e26beae0bc03ad18a0b0d1d3d75f87c32047879d25da11970cb5c4662a3

      SHA512

      42e53d96e5961e95b7a984d9c9778a1d3bd8ee0c87b8b3b515fa31f67c2d073c8565afc2f4b962c43668c4efa1e478da9bb0ecffa79479c7e880731bc4c55765

    • memory/912-25-0x00000000004D0000-0x00000000004D6000-memory.dmp

      Filesize

      24KB

    • memory/912-19-0x00000000004F0000-0x00000000004F6000-memory.dmp

      Filesize

      24KB

    • memory/912-48-0x0000000000500000-0x0000000000510000-memory.dmp

      Filesize

      64KB

    • memory/4404-0-0x0000000000500000-0x0000000000510000-memory.dmp

      Filesize

      64KB

    • memory/4404-1-0x00000000020D0000-0x00000000020D6000-memory.dmp

      Filesize

      24KB

    • memory/4404-9-0x00000000020D0000-0x00000000020D6000-memory.dmp

      Filesize

      24KB

    • memory/4404-2-0x00000000020F0000-0x00000000020F6000-memory.dmp

      Filesize

      24KB

    • memory/4404-17-0x0000000000500000-0x0000000000510000-memory.dmp

      Filesize

      64KB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.