Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/01/2024, 08:25

General

  • Target

    2024-01-28_20a59c8f9e39e7ce168ba514c6d0fc45_cryptolocker.exe

  • Size

    96KB

  • MD5

    20a59c8f9e39e7ce168ba514c6d0fc45

  • SHA1

    d32b64350bd689f91cd322a371fb71863e2c7919

  • SHA256

    b72d6e73c8348dc1e997781e5034893f5332145cd2c4fdfb99554279ea3c2bbe

  • SHA512

    4d70d88d1d2877e934cd6b2537f5fbe1e5884918b64c59504a90918366ceb3fb04d8e295fe0f7596973b12506187e8eb3fcf5e2e13e3c0a84860689a66242ed5

  • SSDEEP

    1536:z6QFElP6n+gKmddpMOtEvwDpj3GYQbbr/BKW:z6a+CdOOtEvwDpjcX

Score
9/10
upx

Malware Config

Signatures

  • Detection of CryptoLocker Variants 4 IoCs
  • Detection of Cryptolocker Samples 4 IoCs
  • UPX dump on OEP (original entry point) 4 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-01-28_20a59c8f9e39e7ce168ba514c6d0fc45_cryptolocker.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-01-28_20a59c8f9e39e7ce168ba514c6d0fc45_cryptolocker.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4000
    • C:\Users\Admin\AppData\Local\Temp\asih.exe
      "C:\Users\Admin\AppData\Local\Temp\asih.exe"
      2⤵
      • Executes dropped EXE
      PID:4676

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\asih.exe

    Filesize

    96KB

    MD5

    e60b534f68a94bf1bdb649b52909ab02

    SHA1

    2f0b8c42587399657e5e99772b4e11652bfb3787

    SHA256

    ea4282518b326d6f6fa9c79590a7b28cab948181f340d5938d4f7335c4a73605

    SHA512

    742466638c22ee4a1e3ba3f18e3d76ff3c5bf7f051a5cf2efb4b1ff11d1da7c36355635880b14b38c9b904e2d6c9c89efbe908f04c5e6ed54f2769c63382a167

  • memory/4000-0-0x0000000000500000-0x0000000000510000-memory.dmp

    Filesize

    64KB

  • memory/4000-1-0x00000000006A0000-0x00000000006A6000-memory.dmp

    Filesize

    24KB

  • memory/4000-2-0x00000000006A0000-0x00000000006A6000-memory.dmp

    Filesize

    24KB

  • memory/4000-3-0x00000000006C0000-0x00000000006C6000-memory.dmp

    Filesize

    24KB

  • memory/4000-16-0x0000000000500000-0x0000000000510000-memory.dmp

    Filesize

    64KB

  • memory/4676-19-0x0000000002110000-0x0000000002116000-memory.dmp

    Filesize

    24KB

  • memory/4676-25-0x0000000001FD0000-0x0000000001FD6000-memory.dmp

    Filesize

    24KB

  • memory/4676-26-0x0000000000500000-0x0000000000510000-memory.dmp

    Filesize

    64KB