File name:

2022-12-05_05421b33391eca99cd6a4b7ded9fce9b_cryptolocker

Full analysis: https://app.any.run/tasks/f4772cef-e8f8-44c3-9543-d3b6b82f6377
Verdict: Malicious activity
Analysis date: December 06, 2022, 05:29:10
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: MS-DOS executable PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, MZ for MS-DOS
MD5:

05421B33391ECA99CD6A4B7DED9FCE9B

SHA1:

9CA698BCCC41F18B20D0FFA180B36F73EA539950

SHA256:

03975B96388ED79A658664C691B97C32B0EAE7F1441E82780CD8A39BA2BCE982

SSDEEP:

768:xQz7yVEhs9+4uR1bytOOtEvwDpjWfbZ7uyA36S7MSRb8u:xj+VGMOtEvwDpjubwQEnl

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • 2022-12-05_05421b33391eca99cd6a4b7ded9fce9b_cryptolocker.exe (PID: 1756)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 2022-12-05_05421b33391eca99cd6a4b7ded9fce9b_cryptolocker.exe (PID: 1756)

    • Starts itself from another location

      • 2022-12-05_05421b33391eca99cd6a4b7ded9fce9b_cryptolocker.exe (PID: 1756)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 2013-Oct-02 12:54:25
Detected languages:
  • English - United States

DOS Header

e_magic: MZ
e_cblp: 64
e_cp: 1
e_crlc: 0
e_cparhdr: 2
e_minalloc: 0
e_maxalloc: 65535
e_ss: 0
e_sp: 184
e_csum: 0
e_ip: 0
e_cs: 0
e_ovno: 0
e_oemid: 46080
e_oeminfo: 52489
e_lfanew: 64

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
NumberofSections: 4
TimeDateStamp: 2013-Oct-02 12:54:25
PointerToSymbolTable: 0
NumberOfSymbols: 0
SizeOfOptionalHeader: 224
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_DEBUG_STRIPPED
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.MPRESS1
4096
36864
17408
IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
5.13375
.MPRESS2
40960
4096
1024
IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
5.88318
.rsrc
45056
16384
13312
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
5.78499
.imports
61440
4096
1024
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
2.9983

Resources

Title
Entropy
Size
Codepage
Language
Type
1
4.96947
9832
Latin 1 / Western European
English - United States
RT_ICON
3
2.01924
20
Latin 1 / Western European
English - United States
RT_GROUP_ICON
RA03
7.88926
1837
Latin 1 / Western European
UNKNOWN
RA03
IDR_VERSION1
3.13044
408
Latin 1 / Western European
English - United States
RT_VERSION
1 (#2)
4.79597
346
Latin 1 / Western European
English - United States
RT_MANIFEST

Imports

gdi32.dll
kernel32.dll
user32.dll
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
3
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start 2022-12-05_05421b33391eca99cd6a4b7ded9fce9b_cryptolocker.exe misid.exe ntvdm.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1756"C:\Users\admin\Desktop\2022-12-05_05421b33391eca99cd6a4b7ded9fce9b_cryptolocker.exe" C:\Users\admin\Desktop\2022-12-05_05421b33391eca99cd6a4b7ded9fce9b_cryptolocker.exe
Explorer.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\windows\system32\ntdll.dll
c:\users\admin\desktop\2022-12-05_05421b33391eca99cd6a4b7ded9fce9b_cryptolocker.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\imm32.dll
2016"C:\Users\admin\AppData\Local\Temp\misid.exe" C:\Users\admin\AppData\Local\Temp\misid.exe
2022-12-05_05421b33391eca99cd6a4b7ded9fce9b_cryptolocker.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\misid.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
3012"C:\Windows\system32\ntvdm.exe" -i1 C:\Windows\system32\ntvdm.exemisid.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
NTVDM.EXE
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ntvdm.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
Total events
7 578
Read events
7 536
Write events
42
Delete events
0

Modification events

(PID) Process:(1756) 2022-12-05_05421b33391eca99cd6a4b7ded9fce9b_cryptolocker.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(1756) 2022-12-05_05421b33391eca99cd6a4b7ded9fce9b_cryptolocker.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(1756) 2022-12-05_05421b33391eca99cd6a4b7ded9fce9b_cryptolocker.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(1756) 2022-12-05_05421b33391eca99cd6a4b7ded9fce9b_cryptolocker.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2016) misid.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(2016) misid.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
460000003D010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A80164000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2016) misid.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2016) misid.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2016) misid.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2016) misid.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
Executable files
1
Suspicious files
10
Text files
3
Unknown types
2

Dropped files

PID
Process
Filename
Type
2016misid.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157compressed
MD5:F7DCB24540769805E5BB30D193944DCE
SHA256:6B88C6AC55BBD6FEA0EBE5A760D1AD2CFCE251C59D0151A1400701CB927E36EA
2016misid.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\87CD74335D81E59B3AD1335BFD4C2A0Ebinary
MD5:FD95215105C4F006393AE93A7A9A08B7
SHA256:80CC8D60E2DEB6E0A5368BD9E392D41302BC52889E7E52D197BA1F4C133A5D5F
2016misid.exeC:\Users\admin\AppData\Local\Temp\misids.exehtml
MD5:A34AC19F4AFAE63ADC5D2F7BC970C07F
SHA256:D5A89E26BEAE0BC03AD18A0B0D1D3D75F87C32047879D25DA11970CB5C4662A3
2016misid.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5080DC7A65DB6A5960ECD874088F3328_862BA1770B2FEE013603D2FF9ABEAFDAbinary
MD5:EF8299F38881C276E20992C03DA9C1B7
SHA256:B2225A8B4D5FDF7242FE95C56A301881FD8E506194017422E4CA2E42194E3F01
2016misid.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506binary
MD5:5D97BF37FFA7D7B0C36F6637B87624D7
SHA256:0E4226B4000FF8AD2E118BFC413E2BB31217C59980E833A7AF090A74EFFC8CBB
3012ntvdm.exeC:\Users\admin\AppData\Local\Temp\scs2DC3.tmptext
MD5:4C361DEA398F7AEEF49953BDC0AB4A9B
SHA256:06D61C23E6CA59B9DDAD1796ECCC42C032CD8F6F424AF6CFEE5D085D36FF7DFD
2016misid.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0255CEC2C51D081EFF40366512890989_8139DA8AF71D2AC8E295A42D0C1D413Bbinary
MD5:C4823A2F0A254120AFED10DEF106881C
SHA256:69548391FCF11EF3CAE2D2D64032E4D299E88978E5C9119DD05BA803E111324E
2016misid.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0255CEC2C51D081EFF40366512890989_8139DA8AF71D2AC8E295A42D0C1D413Bbinary
MD5:5BFA51F3A417B98E7443ECA90FC94703
SHA256:BEBE2853A3485D1C2E5C5BE4249183E0DDAFF9F87DE71652371700A89D937128
2016misid.exeC:\Users\admin\AppData\Local\Temp\Tar76C8.tmpcat
MD5:73B4B714B42FC9A6AAEFD0AE59ADB009
SHA256:C0CF8CC04C34B5B80A2D86AD0EAFB2DD71436F070C86B0321FBA0201879625FD
2016misid.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\87CD74335D81E59B3AD1335BFD4C2A0Ebinary
MD5:E6F56D4D3F2ED404A78D4C2E280E3018
SHA256:C46220C342299BEC905758373C44FA70C0A65560A0CF1AC86B1BC42FCD01CE0A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
12
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2016
misid.exe
GET
200
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?3a5d1a45e7b5df03
US
compressed
4.70 Kb
whitelisted
2016
misid.exe
GET
200
172.64.155.188:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSTufqHinruS%2FP9Wi1XSjRRzoTLfAQUfgNaZUFrp34K4bidCOodjh1qx2UCEDxnfkAuwwRAeeP5piZS1Hs%3D
US
binary
5 b
whitelisted
2016
misid.exe
GET
200
172.64.155.188:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSTufqHinruS%2FP9Wi1XSjRRzoTLfAQUfgNaZUFrp34K4bidCOodjh1qx2UCEDxnfkAuwwRAeeP5piZS1Hs%3D
US
binary
5 b
whitelisted
2016
misid.exe
GET
200
104.18.32.68:80
http://crl.comodoca.com/cPanelIncCertificationAuthority.crl
US
binary
72.3 Kb
whitelisted
2016
misid.exe
GET
200
172.64.155.188:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSTufqHinruS%2FP9Wi1XSjRRzoTLfAQUfgNaZUFrp34K4bidCOodjh1qx2UCEDxnfkAuwwRAeeP5piZS1Hs%3D
US
binary
5 b
whitelisted
2016
misid.exe
GET
200
172.64.155.188:80
http://ocsp.comodoca.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCEQDwHUvue3yjezwFZqwFlyRY
US
der
2.18 Kb
whitelisted
2016
misid.exe
GET
200
172.64.155.188:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSTufqHinruS%2FP9Wi1XSjRRzoTLfAQUfgNaZUFrp34K4bidCOodjh1qx2UCEDxnfkAuwwRAeeP5piZS1Hs%3D
US
binary
5 b
whitelisted
2016
misid.exe
GET
200
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?00dcd94c49904855
US
compressed
61.4 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2016
misid.exe
172.64.155.188:80
ocsp.comodoca.com
CLOUDFLARENET
US
suspicious
2016
misid.exe
104.18.32.68:80
ocsp.comodoca.com
CLOUDFLARENET
suspicious
2016
misid.exe
103.14.121.240:443
bestccc.com
Good Domain Registry Private Limited
IN
malicious
2016
misid.exe
93.184.221.240:80
ctldl.windowsupdate.com
EDGECAST
GB
whitelisted

DNS requests

Domain
IP
Reputation
bestccc.com
  • 103.14.121.240
malicious
ctldl.windowsupdate.com
  • 93.184.221.240
whitelisted
ocsp.comodoca.com
  • 172.64.155.188
  • 104.18.32.68
whitelisted
crl.comodoca.com
  • 172.64.155.188
  • 104.18.32.68
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2023 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
2022-12-05_05421b33391eca99cd6a4b7ded9fce9b_cryptolocker