Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240220-en -
resource tags
arch:x64arch:x86image:win10v2004-20240220-enlocale:en-usos:windows10-2004-x64system -
submitted
20/02/2024, 12:34
Static task
static1
Behavioral task
behavioral1
Sample
2024-02-20_6a3976af618661c489d3117a4ee12646_cryptolocker.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
2024-02-20_6a3976af618661c489d3117a4ee12646_cryptolocker.exe
Resource
win10v2004-20240220-en
General
-
Target
2024-02-20_6a3976af618661c489d3117a4ee12646_cryptolocker.exe
-
Size
37KB
-
MD5
6a3976af618661c489d3117a4ee12646
-
SHA1
fb1d4518f3fcaacc3d9d902fc5f7accb59b546ba
-
SHA256
486c3e4ee6546f07a26ad2bdf41934c97a27b5ee2242fc4452e4acab3feacb46
-
SHA512
026e91bc25278baad9eac667296cc35e5aa6fffd5c17c96004791959a40f90c28d64b1327c439b51a0cea46e4bf7890a8e4714cc85dc8386983cbe7a7bcd94ff
-
SSDEEP
384:bgX4uGLLQRcsdeQ7/nQu63Ag7YmecFanrlwfjDUkKDfWf0w3sp8u5cZr/04qXZ:bgX4zYcgTEu6QOaryfjqDDw3sCu5q/8Z
Malware Config
Signatures
-
Detection of CryptoLocker Variants 1 IoCs
resource yara_rule behavioral2/files/0x000400000002288e-12.dat CryptoLocker_rule2 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1888637039-960448630-940472005-1000\Control Panel\International\Geo\Nation 2024-02-20_6a3976af618661c489d3117a4ee12646_cryptolocker.exe -
Executes dropped EXE 1 IoCs
pid Process 3128 hasfj.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 5004 wrote to memory of 3128 5004 2024-02-20_6a3976af618661c489d3117a4ee12646_cryptolocker.exe 86 PID 5004 wrote to memory of 3128 5004 2024-02-20_6a3976af618661c489d3117a4ee12646_cryptolocker.exe 86 PID 5004 wrote to memory of 3128 5004 2024-02-20_6a3976af618661c489d3117a4ee12646_cryptolocker.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-02-20_6a3976af618661c489d3117a4ee12646_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-02-20_6a3976af618661c489d3117a4ee12646_cryptolocker.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Users\Admin\AppData\Local\Temp\hasfj.exe"C:\Users\Admin\AppData\Local\Temp\hasfj.exe"2⤵
- Executes dropped EXE
PID:3128
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
37KB
MD500b73e680176177a3d095d22a51b4e39
SHA1089ca7f0cf607de67546d91a2e3fec92d027eda4
SHA25671961728004070a234a2a102fcb42bfa0ed34edae83d83d3febd81c50df3ba79
SHA51279dae509cdfbbd9497cb2cd7b788b1209c9cb15168df6002a02f5e417b95b236cab42b70bfcb552b2e1d7c090d3d7572fc84a11cca47539977af0d3357858644