Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    0s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/01/2024, 22:27

General

  • Target

    2024-01-18_150407815517c43e34164481f6242cd1_cryptolocker.exe

  • Size

    38KB

  • MD5

    150407815517c43e34164481f6242cd1

  • SHA1

    2edd83586d0143ecaa631200815cad8e51aa4fcd

  • SHA256

    af4ded99c084700b54b618bf6ad3592486d8bf6a80e43388e427311896cd69a3

  • SHA512

    d57807e3519e40629350ecfafd8dcee5aae3fe6d56af9d25cb28accda669d759810149a3e4cb759a78af77a8e8ea370ce5c3c8a11600c3f72ff30cf1d69a79a7

  • SSDEEP

    768:bIDOw9UiaCHfjnE0Sf88AvvP1oghYvm9/6Dy8P4l:bIDOw9a0Dwo3P1ojvUSDhW

Score
9/10

Malware Config

Signatures

  • Detection of CryptoLocker Variants 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-01-18_150407815517c43e34164481f6242cd1_cryptolocker.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-01-18_150407815517c43e34164481f6242cd1_cryptolocker.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3300
    • C:\Users\Admin\AppData\Local\Temp\lossy.exe
      "C:\Users\Admin\AppData\Local\Temp\lossy.exe"
      2⤵
      • Executes dropped EXE
      PID:1828

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\lossy.exe

    Filesize

    32KB

    MD5

    f57f909f5e75000d99c4b47d1e769498

    SHA1

    4291f711f801e7bae2eb91ca67222d6d252c6e5a

    SHA256

    5185931e4f1e9b4035b4e7b11aa445ac9e50995064d1f736900801dc1c43fee9

    SHA512

    c008803d4a5b050352a9a7fc4c1f2b06a18be10343645512911006df59fb3bf7a0cef2c36ba6c6380181b61590fe6a367f6376cb514ca41ea8680eb165fbf2a6

  • C:\Users\Admin\AppData\Local\Temp\lossy.exe

    Filesize

    38KB

    MD5

    a80c8a5f50a7d8afc6b0ffe45fe50d83

    SHA1

    86f1c4880ba8ddd84bbc409cf1281bdff438e33f

    SHA256

    81703048c262dc583e57d1fdb17bb65dc5824160e7a60f9168b5be714b65bf43

    SHA512

    60a3c0027c5ccc5386c25b72b7c99792cb4f38eb38a802df890b8f28bc51a53382c9e0a54c692cf332207ba74a0d550c8b5b74ac15cd065dd7f17359e60e79d0

  • C:\Users\Admin\AppData\Local\Temp\lossy.exe

    Filesize

    5KB

    MD5

    442c7329f28298669527ab082d054b19

    SHA1

    a209cfbbe379ecff87b18ae21d71dd7ae6b15b41

    SHA256

    85ea7d19dc5ec7e6e5d7a334b8394c703b12fe023546e62945c4fcd0811bd60e

    SHA512

    6843463f7d5744e54d561ba5876dfc98aa0727917decbc6a92ec1006287d3f12e0bfafe8f97b9abb57338975ac3aa5fc79f5f38e38d94c7cb9321fb7161cf55d

  • memory/1828-17-0x0000000001F60000-0x0000000001F66000-memory.dmp

    Filesize

    24KB

  • memory/1828-23-0x0000000001F40000-0x0000000001F46000-memory.dmp

    Filesize

    24KB

  • memory/3300-0-0x00000000021D0000-0x00000000021D6000-memory.dmp

    Filesize

    24KB

  • memory/3300-8-0x00000000021D0000-0x00000000021D6000-memory.dmp

    Filesize

    24KB

  • memory/3300-1-0x00000000020F0000-0x00000000020F6000-memory.dmp

    Filesize

    24KB