Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
89s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
18/02/2024, 06:33
Static task
static1
Behavioral task
behavioral1
Sample
2024-02-18_4514b240a2b56dc9f4be056d968bb3b5_cryptolocker.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
2024-02-18_4514b240a2b56dc9f4be056d968bb3b5_cryptolocker.exe
Resource
win10v2004-20231222-en
General
-
Target
2024-02-18_4514b240a2b56dc9f4be056d968bb3b5_cryptolocker.exe
-
Size
47KB
-
MD5
4514b240a2b56dc9f4be056d968bb3b5
-
SHA1
66c70b813b214d26597b13078de6951f770aecae
-
SHA256
830eb2cf0324cc27da428a82fb4a97dc1a919e1486995a66d61db7e359f23ca0
-
SHA512
c4be838b122d13896d0a45af637ffef5c0534db8da809b654d965e478114975fe263c5a3903c28157b2c8ca7f8b4d7497b9f3b00642d44d7be26e2c2e1944a55
-
SSDEEP
768:Kf1K2exg2kBwtdgI2MyzNORQtOflIwoHNV2XBFV72BOlA7ZsBGGpebVIYLHA3KxV:o1KhxqwtdgI2MyzNORQtOflIwoHNV2Xk
Malware Config
Signatures
-
Detection of CryptoLocker Variants 1 IoCs
resource yara_rule behavioral2/files/0x00090000000231eb-12.dat CryptoLocker_rule2 -
Detection of Cryptolocker Samples 1 IoCs
resource yara_rule behavioral2/files/0x00090000000231eb-12.dat CryptoLocker_set1 -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation 2024-02-18_4514b240a2b56dc9f4be056d968bb3b5_cryptolocker.exe Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation hurok.exe -
Executes dropped EXE 1 IoCs
pid Process 2380 hurok.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2280 wrote to memory of 2380 2280 2024-02-18_4514b240a2b56dc9f4be056d968bb3b5_cryptolocker.exe 84 PID 2280 wrote to memory of 2380 2280 2024-02-18_4514b240a2b56dc9f4be056d968bb3b5_cryptolocker.exe 84 PID 2280 wrote to memory of 2380 2280 2024-02-18_4514b240a2b56dc9f4be056d968bb3b5_cryptolocker.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-02-18_4514b240a2b56dc9f4be056d968bb3b5_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-02-18_4514b240a2b56dc9f4be056d968bb3b5_cryptolocker.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Users\Admin\AppData\Local\Temp\hurok.exe"C:\Users\Admin\AppData\Local\Temp\hurok.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
PID:2380
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
48KB
MD527ac739263b8589d2b0b6452259de223
SHA19315379e9495aa39ddd3b03bdde3809c0ac5a24d
SHA256ac7cbf2f010fc575a512c811f8b3ce77c6f7ea754da79d312fc4afccffcda74e
SHA5125bd529347b965d0290e43e768c7e68a9ecb2a397c7495e627bed71b6e0c0660ec5c7d3aadd18411dff46df7ef681342753250bf41eae880e3731439d1625d882