Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
0s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
18/01/2024, 22:27
Static task
static1
Behavioral task
behavioral1
Sample
2024-01-18_150407815517c43e34164481f6242cd1_cryptolocker.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
2024-01-18_150407815517c43e34164481f6242cd1_cryptolocker.exe
Resource
win10v2004-20231222-en
General
-
Target
2024-01-18_150407815517c43e34164481f6242cd1_cryptolocker.exe
-
Size
38KB
-
MD5
150407815517c43e34164481f6242cd1
-
SHA1
2edd83586d0143ecaa631200815cad8e51aa4fcd
-
SHA256
af4ded99c084700b54b618bf6ad3592486d8bf6a80e43388e427311896cd69a3
-
SHA512
d57807e3519e40629350ecfafd8dcee5aae3fe6d56af9d25cb28accda669d759810149a3e4cb759a78af77a8e8ea370ce5c3c8a11600c3f72ff30cf1d69a79a7
-
SSDEEP
768:bIDOw9UiaCHfjnE0Sf88AvvP1oghYvm9/6Dy8P4l:bIDOw9a0Dwo3P1ojvUSDhW
Malware Config
Signatures
-
Detection of CryptoLocker Variants 3 IoCs
resource yara_rule behavioral2/files/0x000400000001e630-15.dat CryptoLocker_rule2 behavioral2/files/0x000400000001e630-14.dat CryptoLocker_rule2 behavioral2/files/0x000400000001e630-12.dat CryptoLocker_rule2 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation 2024-01-18_150407815517c43e34164481f6242cd1_cryptolocker.exe -
Executes dropped EXE 1 IoCs
pid Process 1828 lossy.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3300 wrote to memory of 1828 3300 2024-01-18_150407815517c43e34164481f6242cd1_cryptolocker.exe 20 PID 3300 wrote to memory of 1828 3300 2024-01-18_150407815517c43e34164481f6242cd1_cryptolocker.exe 20 PID 3300 wrote to memory of 1828 3300 2024-01-18_150407815517c43e34164481f6242cd1_cryptolocker.exe 20
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-01-18_150407815517c43e34164481f6242cd1_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-01-18_150407815517c43e34164481f6242cd1_cryptolocker.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3300 -
C:\Users\Admin\AppData\Local\Temp\lossy.exe"C:\Users\Admin\AppData\Local\Temp\lossy.exe"2⤵
- Executes dropped EXE
PID:1828
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
32KB
MD5f57f909f5e75000d99c4b47d1e769498
SHA14291f711f801e7bae2eb91ca67222d6d252c6e5a
SHA2565185931e4f1e9b4035b4e7b11aa445ac9e50995064d1f736900801dc1c43fee9
SHA512c008803d4a5b050352a9a7fc4c1f2b06a18be10343645512911006df59fb3bf7a0cef2c36ba6c6380181b61590fe6a367f6376cb514ca41ea8680eb165fbf2a6
-
Filesize
38KB
MD5a80c8a5f50a7d8afc6b0ffe45fe50d83
SHA186f1c4880ba8ddd84bbc409cf1281bdff438e33f
SHA25681703048c262dc583e57d1fdb17bb65dc5824160e7a60f9168b5be714b65bf43
SHA51260a3c0027c5ccc5386c25b72b7c99792cb4f38eb38a802df890b8f28bc51a53382c9e0a54c692cf332207ba74a0d550c8b5b74ac15cd065dd7f17359e60e79d0
-
Filesize
5KB
MD5442c7329f28298669527ab082d054b19
SHA1a209cfbbe379ecff87b18ae21d71dd7ae6b15b41
SHA25685ea7d19dc5ec7e6e5d7a334b8394c703b12fe023546e62945c4fcd0811bd60e
SHA5126843463f7d5744e54d561ba5876dfc98aa0727917decbc6a92ec1006287d3f12e0bfafe8f97b9abb57338975ac3aa5fc79f5f38e38d94c7cb9321fb7161cf55d