Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

2024-01-28...er.exe

windows7-x64

9

2024-01-28...er.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/01/2024, 21:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-01-28_13d0a9e94b37fcebbb84ba5421206b26_cryptolocker.exe

  • Size

    41KB

  • MD5

    13d0a9e94b37fcebbb84ba5421206b26

  • SHA1

    6e5f4750480ec73aa7c486300b3b5b4b34284307

  • SHA256

    3f1ee5da19658eec62c0a07f45ea15381d23aa058ceace18ec3ba02f4e3f294f

  • SHA512

    f7b7f245c95f75eb9c52b2355c2690e1b97c9eb770e817b2085c0c253ed76ff5d8a3a2cf464b7d49b09732c1b9fb8ef0523fafab4b62ff0bad18f4c2832d67bb

  • SSDEEP

    768:bgX4zYcgTEu6QOaryfjqDDw3sCu5b+sJx:bgGYcA/53GADw8ClC

Score
9/10

Malware Config

Signatures

  • Detection of CryptoLocker Variants 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-01-28_13d0a9e94b37fcebbb84ba5421206b26_cryptolocker.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-01-28_13d0a9e94b37fcebbb84ba5421206b26_cryptolocker.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:588
    • C:\Users\Admin\AppData\Local\Temp\hasfj.exe
      "C:\Users\Admin\AppData\Local\Temp\hasfj.exe"
      2⤵
      • Executes dropped EXE
      PID:3324

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\hasfj.exe
    Filesize

    41KB

    MD5

    243a54b3ac28cd8423c82bbf9b577bd5

    SHA1

    ef1db573ccb4e29898f75d706d015993a243e884

    SHA256

    2ca0dbd93257e6682cc46afecdc0b99feff875731df27c4c6d2a58751fed6268

    SHA512

    913492aa6d8b4637e7d833de7aeb516880dda892a1cbf984196c5efdfa314f488705137f873dbaeaeb89713a1cf6e3d3232f17af7bdd11d249b22378dfd8532e

    Download Submit

  • memory/588-0-0x00000000021D0000-0x00000000021D6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/588-1-0x00000000021D0000-0x00000000021D6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/588-2-0x0000000003150000-0x0000000003156000-memory.dmp

    Filesize

    24KB

    Download

  • memory/3324-17-0x0000000002140000-0x0000000002146000-memory.dmp

    Filesize

    24KB

    Download

  • memory/3324-23-0x0000000000670000-0x0000000000676000-memory.dmp

    Filesize

    24KB

    Download