File name:

2022-12-05_9d1ccb567f0c4663724704707f521bae_cryptolocker

Full analysis: https://app.any.run/tasks/84e00ea6-9b70-41c0-acee-2b349056a93e
Verdict: Malicious activity
Analysis date: December 06, 2022, 05:35:36
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

9D1CCB567F0C4663724704707F521BAE

SHA1:

42062B36D04D020EF2F5BC8F6946B3A600B5F340

SHA256:

7FF6157E8E290B4AA1154D8EC4162E2999E2D9AE0D456FA368EA6D4193EF05EB

SSDEEP:

1536:vj+jsMQMOtEvwDpj5HwYYTjipvF2hBfIuBK6:vCjsIOtEvwDpj5H9YvQd2D

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Reads the Internet Settings

      • misid.exe (PID: 2016)
      • 2022-12-05_9d1ccb567f0c4663724704707f521bae_cryptolocker.exe (PID: 1756)
    • Starts itself from another location

      • 2022-12-05_9d1ccb567f0c4663724704707f521bae_cryptolocker.exe (PID: 1756)
    • Checks Windows Trust Settings

      • misid.exe (PID: 2016)
    • Reads security settings of Internet Explorer

      • misid.exe (PID: 2016)
    • Reads settings of System Certificates

      • misid.exe (PID: 2016)
  • INFO

    • Reads the computer name

      • 2022-12-05_9d1ccb567f0c4663724704707f521bae_cryptolocker.exe (PID: 1756)
      • misid.exe (PID: 2016)
    • Checks proxy server information

      • misid.exe (PID: 2016)
    • Checks supported languages

      • 2022-12-05_9d1ccb567f0c4663724704707f521bae_cryptolocker.exe (PID: 1756)
      • misid.exe (PID: 2016)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 2013-Oct-02 12:54:25
Detected languages:
  • English - United States

DOS Header

e_magic: MZ
e_cblp: 144
e_cp: 3
e_crlc: 0
e_cparhdr: 4
e_minalloc: 0
e_maxalloc: 65535
e_ss: 0
e_sp: 184
e_csum: 0
e_ip: 0
e_cs: 0
e_ovno: 0
e_oemid: 0
e_oeminfo: 0
e_lfanew: 240

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
NumberofSections: 5
TimeDateStamp: 2013-Oct-02 12:54:25
PointerToSymbolTable: 0
NumberOfSymbols: 0
SizeOfOptionalHeader: 224
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
4096
11471
11776
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.03933
.rdata
16384
1222
1536
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.25123
.data
20480
1563
1024
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
3.76232
.rsrc
24576
10952
11264
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.97715
.reloc
36864
542
1024
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
3.44117

Resources

Title
Entropy
Size
Codepage
Language
Type
1
4.96947
9832
UNKNOWN
English - United States
RT_ICON
3
2.01924
20
UNKNOWN
English - United States
RT_GROUP_ICON
IDR_VERSION1
3.13044
408
UNKNOWN
English - United States
RT_VERSION
1 (#2)
4.79597
346
UNKNOWN
English - United States
RT_MANIFEST

Imports

gdi32.dll
kernel32.dll
user32.dll
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 2022-12-05_9d1ccb567f0c4663724704707f521bae_cryptolocker.exe no specs misid.exe ntvdm.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1756"C:\Users\admin\Desktop\2022-12-05_9d1ccb567f0c4663724704707f521bae_cryptolocker.exe" C:\Users\admin\Desktop\2022-12-05_9d1ccb567f0c4663724704707f521bae_cryptolocker.exeExplorer.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\2022-12-05_9d1ccb567f0c4663724704707f521bae_cryptolocker.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msctf.dll
2016"C:\Users\admin\AppData\Local\Temp\misid.exe" C:\Users\admin\AppData\Local\Temp\misid.exe
2022-12-05_9d1ccb567f0c4663724704707f521bae_cryptolocker.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\misid.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll
3856"C:\Windows\system32\ntvdm.exe" -i1 C:\Windows\system32\ntvdm.exemisid.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
NTVDM.EXE
Exit code:
255
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ntvdm.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
Total events
7 291
Read events
7 249
Write events
42
Delete events
0

Modification events

(PID) Process:(1756) 2022-12-05_9d1ccb567f0c4663724704707f521bae_cryptolocker.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(1756) 2022-12-05_9d1ccb567f0c4663724704707f521bae_cryptolocker.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(1756) 2022-12-05_9d1ccb567f0c4663724704707f521bae_cryptolocker.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(1756) 2022-12-05_9d1ccb567f0c4663724704707f521bae_cryptolocker.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2016) misid.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(2016) misid.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
460000003D010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A80164000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2016) misid.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2016) misid.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2016) misid.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2016) misid.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
Executable files
1
Suspicious files
8
Text files
3
Unknown types
2

Dropped files

PID
Process
Filename
Type
2016misid.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\87CD74335D81E59B3AD1335BFD4C2A0Ebinary
MD5:E6F56D4D3F2ED404A78D4C2E280E3018
SHA256:C46220C342299BEC905758373C44FA70C0A65560A0CF1AC86B1BC42FCD01CE0A
3856ntvdm.exeC:\Users\admin\AppData\Local\Temp\scs4BFE.tmptext
MD5:4C361DEA398F7AEEF49953BDC0AB4A9B
SHA256:06D61C23E6CA59B9DDAD1796ECCC42C032CD8F6F424AF6CFEE5D085D36FF7DFD
2016misid.exeC:\Users\admin\AppData\Local\Temp\misids.exehtml
MD5:A34AC19F4AFAE63ADC5D2F7BC970C07F
SHA256:D5A89E26BEAE0BC03AD18A0B0D1D3D75F87C32047879D25DA11970CB5C4662A3
2016misid.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CC42971B7939A9CA55C44CFC893D7C1Dder
MD5:AADD30744B8F83FAAFD1567D7F556F17
SHA256:1B7C0CCA6A88A971CEF46801F3A45BFBBDDF6D04D4AE24780823C355E63B54E4
2016misid.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:A7C67F7AA58A9BA1F01507CC869B080B
SHA256:A0CD2E753927747AA0B5079A9967DDAF54052BD058877C4EE1BDFB663BA4AF7A
2016misid.exeC:\Users\admin\AppData\Local\Temp\TarD5F.tmpcat
MD5:73B4B714B42FC9A6AAEFD0AE59ADB009
SHA256:C0CF8CC04C34B5B80A2D86AD0EAFB2DD71436F070C86B0321FBA0201879625FD
2016misid.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\87CD74335D81E59B3AD1335BFD4C2A0Ebinary
MD5:FA633B6A9702AF3905ACAADED340B210
SHA256:A859E268194DF1089044BE3148FFAC556881EC473F1B37588242C75221C27234
2016misid.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CC42971B7939A9CA55C44CFC893D7C1Dbinary
MD5:4B69E8551B7DA5443D651D8CA6AE5180
SHA256:2060D5AC5086E9D9DB4132D1F8F051E3622296FEDB293E9D779A7A3E6C4CEC34
2016misid.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157compressed
MD5:F7DCB24540769805E5BB30D193944DCE
SHA256:6B88C6AC55BBD6FEA0EBE5A760D1AD2CFCE251C59D0151A1400701CB927E36EA
2016misid.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506binary
MD5:C3ED14D77994A39A14DE9BDD12CAFC7E
SHA256:F095682FCB6E79DD2A533B2169E68F28E72F2848680CE6E1FC17E16EE60D4631
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
6
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2016
misid.exe
GET
200
8.248.149.254:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?8fb806ede9c13c65
US
compressed
4.70 Kb
whitelisted
2016
misid.exe
GET
200
8.248.149.254:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?48ccd6962bb1e4ab
US
compressed
61.4 Kb
whitelisted
2016
misid.exe
GET
200
172.64.155.188:80
http://crl.comodoca.com/cPanelIncCertificationAuthority.crl
US
binary
72.3 Kb
whitelisted
2016
misid.exe
GET
200
172.64.155.188:80
http://crl.comodoca.com/COMODORSACertificationAuthority.crl
US
der
826 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2016
misid.exe
172.64.155.188:80
ocsp.comodoca.com
CLOUDFLARENET
US
suspicious
2016
misid.exe
104.18.32.68:80
ocsp.comodoca.com
CLOUDFLARENET
suspicious
2016
misid.exe
103.14.121.240:443
bestccc.com
Good Domain Registry Private Limited
IN
malicious
2016
misid.exe
8.248.149.254:80
ctldl.windowsupdate.com
LEVEL3
US
suspicious

DNS requests

Domain
IP
Reputation
bestccc.com
  • 103.14.121.240
malicious
ctldl.windowsupdate.com
  • 8.248.149.254
  • 8.248.117.254
  • 8.238.30.254
  • 8.248.113.254
  • 8.248.141.254
whitelisted
ocsp.comodoca.com
  • 104.18.32.68
  • 172.64.155.188
whitelisted
crl.comodoca.com
  • 172.64.155.188
  • 104.18.32.68
whitelisted

Threats

No threats detected
No debug info