Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
23/02/2024, 05:39
Static task
static1
Behavioral task
behavioral1
Sample
2024-02-23_357cd1664c8e798912e837cae83a50d4_cryptolocker.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-02-23_357cd1664c8e798912e837cae83a50d4_cryptolocker.exe
Resource
win10v2004-20240221-en
General
-
Target
2024-02-23_357cd1664c8e798912e837cae83a50d4_cryptolocker.exe
-
Size
42KB
-
MD5
357cd1664c8e798912e837cae83a50d4
-
SHA1
61529526a7ee0f190ff3f18285e6e3178579990c
-
SHA256
008fb3728c95f6365841dd7a3fe0e61b16fc6d37804ba699d82af1161c1da3b5
-
SHA512
b96ac1997eb0d59693e859e23af3dbd58b44320b905c30051b11ecca30aa0c771d6b1d91965c948a05b5793d13eabf31037a23b0afe6bea44f7ebb6a53b14765
-
SSDEEP
768:b7o/2n1TCraU6GD1a4X0WcO+wMVm+slAMRqrwGKT:bc/y2lkF0+Bjrdc
Malware Config
Signatures
-
Detection of CryptoLocker Variants 1 IoCs
resource yara_rule behavioral2/files/0x000e000000023165-12.dat CryptoLocker_rule2 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000\Control Panel\International\Geo\Nation 2024-02-23_357cd1664c8e798912e837cae83a50d4_cryptolocker.exe -
Executes dropped EXE 1 IoCs
pid Process 2212 rewok.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1792 wrote to memory of 2212 1792 2024-02-23_357cd1664c8e798912e837cae83a50d4_cryptolocker.exe 87 PID 1792 wrote to memory of 2212 1792 2024-02-23_357cd1664c8e798912e837cae83a50d4_cryptolocker.exe 87 PID 1792 wrote to memory of 2212 1792 2024-02-23_357cd1664c8e798912e837cae83a50d4_cryptolocker.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-02-23_357cd1664c8e798912e837cae83a50d4_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-02-23_357cd1664c8e798912e837cae83a50d4_cryptolocker.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Users\Admin\AppData\Local\Temp\rewok.exe"C:\Users\Admin\AppData\Local\Temp\rewok.exe"2⤵
- Executes dropped EXE
PID:2212
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
42KB
MD57e76d5f0b3e65e605d610a5eba7ccf3e
SHA1bebec0efa0a79af9475cfee4984896df1f3cb515
SHA256e5dc987ef2166ad60960cf7819068f1467f940a1d8118a7a38afc72cf935f2c3
SHA512e79d432b26c5da3764b87338b76802f5500a2a258ec9f8f53fa0139d6164a7230ccbda78cae3836b22155d01851331c576c5c36dfb968146ca9aa6bf385b2f11