Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
28/01/2024, 08:25
Behavioral task
behavioral1
Sample
2024-01-28_20a59c8f9e39e7ce168ba514c6d0fc45_cryptolocker.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
2024-01-28_20a59c8f9e39e7ce168ba514c6d0fc45_cryptolocker.exe
Resource
win10v2004-20231215-en
General
-
Target
2024-01-28_20a59c8f9e39e7ce168ba514c6d0fc45_cryptolocker.exe
-
Size
96KB
-
MD5
20a59c8f9e39e7ce168ba514c6d0fc45
-
SHA1
d32b64350bd689f91cd322a371fb71863e2c7919
-
SHA256
b72d6e73c8348dc1e997781e5034893f5332145cd2c4fdfb99554279ea3c2bbe
-
SHA512
4d70d88d1d2877e934cd6b2537f5fbe1e5884918b64c59504a90918366ceb3fb04d8e295fe0f7596973b12506187e8eb3fcf5e2e13e3c0a84860689a66242ed5
-
SSDEEP
1536:z6QFElP6n+gKmddpMOtEvwDpj3GYQbbr/BKW:z6a+CdOOtEvwDpjcX
Malware Config
Signatures
-
Detection of CryptoLocker Variants 4 IoCs
resource yara_rule behavioral2/memory/4000-0-0x0000000000500000-0x0000000000510000-memory.dmp CryptoLocker_rule2 behavioral2/files/0x001100000002315e-13.dat CryptoLocker_rule2 behavioral2/memory/4000-16-0x0000000000500000-0x0000000000510000-memory.dmp CryptoLocker_rule2 behavioral2/memory/4676-26-0x0000000000500000-0x0000000000510000-memory.dmp CryptoLocker_rule2 -
Detection of Cryptolocker Samples 4 IoCs
resource yara_rule behavioral2/memory/4000-0-0x0000000000500000-0x0000000000510000-memory.dmp CryptoLocker_set1 behavioral2/files/0x001100000002315e-13.dat CryptoLocker_set1 behavioral2/memory/4000-16-0x0000000000500000-0x0000000000510000-memory.dmp CryptoLocker_set1 behavioral2/memory/4676-26-0x0000000000500000-0x0000000000510000-memory.dmp CryptoLocker_set1 -
UPX dump on OEP (original entry point) 4 IoCs
resource yara_rule behavioral2/memory/4000-0-0x0000000000500000-0x0000000000510000-memory.dmp UPX behavioral2/files/0x001100000002315e-13.dat UPX behavioral2/memory/4000-16-0x0000000000500000-0x0000000000510000-memory.dmp UPX behavioral2/memory/4676-26-0x0000000000500000-0x0000000000510000-memory.dmp UPX -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation 2024-01-28_20a59c8f9e39e7ce168ba514c6d0fc45_cryptolocker.exe -
Executes dropped EXE 1 IoCs
pid Process 4676 asih.exe -
resource yara_rule behavioral2/memory/4000-0-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral2/files/0x001100000002315e-13.dat upx behavioral2/memory/4000-16-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral2/memory/4676-26-0x0000000000500000-0x0000000000510000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4000 wrote to memory of 4676 4000 2024-01-28_20a59c8f9e39e7ce168ba514c6d0fc45_cryptolocker.exe 87 PID 4000 wrote to memory of 4676 4000 2024-01-28_20a59c8f9e39e7ce168ba514c6d0fc45_cryptolocker.exe 87 PID 4000 wrote to memory of 4676 4000 2024-01-28_20a59c8f9e39e7ce168ba514c6d0fc45_cryptolocker.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-01-28_20a59c8f9e39e7ce168ba514c6d0fc45_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-01-28_20a59c8f9e39e7ce168ba514c6d0fc45_cryptolocker.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4000 -
C:\Users\Admin\AppData\Local\Temp\asih.exe"C:\Users\Admin\AppData\Local\Temp\asih.exe"2⤵
- Executes dropped EXE
PID:4676
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD5e60b534f68a94bf1bdb649b52909ab02
SHA12f0b8c42587399657e5e99772b4e11652bfb3787
SHA256ea4282518b326d6f6fa9c79590a7b28cab948181f340d5938d4f7335c4a73605
SHA512742466638c22ee4a1e3ba3f18e3d76ff3c5bf7f051a5cf2efb4b1ff11d1da7c36355635880b14b38c9b904e2d6c9c89efbe908f04c5e6ed54f2769c63382a167