Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
04/02/2024, 06:35
Static task
static1
Behavioral task
behavioral1
Sample
2024-02-04_9352f1a25b7eb11b56edd67379a438fd_cryptolocker.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
2024-02-04_9352f1a25b7eb11b56edd67379a438fd_cryptolocker.exe
Resource
win10v2004-20231222-en
General
-
Target
2024-02-04_9352f1a25b7eb11b56edd67379a438fd_cryptolocker.exe
-
Size
43KB
-
MD5
9352f1a25b7eb11b56edd67379a438fd
-
SHA1
e70ded9db8057f2e9127574429b012263a7bd6f9
-
SHA256
590f7c2a93ce8628abf9013dbf48324da51370626480dfc2f4dcc67e7055365d
-
SHA512
b5ac210c8557868b59bcec36cf13aa889fa350f69c1ee69225f6497e50ecc3d963b985fd8a3d8963c73ac116876f591c2d73a5ef93e775ea27f55765def4a609
-
SSDEEP
384:e/4wODQkzonAYsju5N/surDQtOOtEvwDpjqIGROqS/WccJVJwi2B5oCCM8CLV:79inqyNR/QtOOtEvwDpjBKccJVODvy34
Malware Config
Signatures
-
Detection of CryptoLocker Variants 3 IoCs
resource yara_rule behavioral2/memory/2204-0-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_rule2 behavioral2/files/0x00070000000231f2-13.dat CryptoLocker_rule2 behavioral2/memory/2204-17-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_rule2 -
Detection of Cryptolocker Samples 3 IoCs
resource yara_rule behavioral2/memory/2204-0-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_set1 behavioral2/files/0x00070000000231f2-13.dat CryptoLocker_set1 behavioral2/memory/2204-17-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_set1 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation 2024-02-04_9352f1a25b7eb11b56edd67379a438fd_cryptolocker.exe -
Executes dropped EXE 1 IoCs
pid Process 2108 asih.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2204 wrote to memory of 2108 2204 2024-02-04_9352f1a25b7eb11b56edd67379a438fd_cryptolocker.exe 42 PID 2204 wrote to memory of 2108 2204 2024-02-04_9352f1a25b7eb11b56edd67379a438fd_cryptolocker.exe 42 PID 2204 wrote to memory of 2108 2204 2024-02-04_9352f1a25b7eb11b56edd67379a438fd_cryptolocker.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-02-04_9352f1a25b7eb11b56edd67379a438fd_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-02-04_9352f1a25b7eb11b56edd67379a438fd_cryptolocker.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Users\Admin\AppData\Local\Temp\asih.exe"C:\Users\Admin\AppData\Local\Temp\asih.exe"2⤵
- Executes dropped EXE
PID:2108
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
43KB
MD551ff7eb44ee5844590ad03b7beb25fa6
SHA1f5fd5dd723fe766317c242d70d1589a679dba7af
SHA2563b131611959a69d420a79744decb0a4638cd41689905ae8f9d00e2d5c5387d90
SHA51282c925f05993081c7a77c0ffc3cedd902bcb9ce03a771a8997b16f504fa450134418167946273ef4e4a5c6f33b611b593f6d4f754c415f91a0d6d8849d57a9a6