Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    147s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/02/2024, 11:24

General

  • Target

    2024-02-28_003bfa6663ccb47b6fc9ec49675f5b95_cryptolocker.exe

  • Size

    40KB

  • MD5

    003bfa6663ccb47b6fc9ec49675f5b95

  • SHA1

    85cbc3048845686eb3892dbff9710656fe22518f

  • SHA256

    d3f04128bef536c4bcf89a0d728e97435fe0305fb854b048fbe825702fd989e0

  • SHA512

    60e56b975c21e2537393a937e305963c73ed2c072e99bdaeeb69c2d7e2740437a229b7466d02d4645590999323641f34384382062b45ccf72d10b9c608fe57e1

  • SSDEEP

    768:TS5nQJ24LR7tOOtEvwDpjGqPhqlcnvgpnHG:m5nkFNMOtEvwDpjG8hgpHG

Score
9/10

Malware Config

Signatures

  • Detection of CryptoLocker Variants 4 IoCs
  • Detection of Cryptolocker Samples 2 IoCs
  • Detects executables built or packed with MPress PE compressor 4 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-02-28_003bfa6663ccb47b6fc9ec49675f5b95_cryptolocker.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-02-28_003bfa6663ccb47b6fc9ec49675f5b95_cryptolocker.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1072
    • C:\Users\Admin\AppData\Local\Temp\misid.exe
      "C:\Users\Admin\AppData\Local\Temp\misid.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      PID:3172

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\misid.exe

    Filesize

    41KB

    MD5

    3a1b6f1ce7f4848ae942c708b3ba8354

    SHA1

    5e22a2ba18ea10fca2593844b15b51c8e309a4f9

    SHA256

    591fea75b95d936724dc41a775e4bbb6af9b20c1d003355b0f841eef88c3e5f2

    SHA512

    b484fb69e8035e33363bb4ef538d4012fd148c838b0ce4d1f53cfdd569a5774c7fef1b05c062d5b5b254331c8769ae242f3ef89c4a885fe3e8912d26d4fb86f1

  • memory/1072-0-0x0000000000500000-0x000000000050E000-memory.dmp

    Filesize

    56KB

  • memory/1072-1-0x0000000000640000-0x0000000000646000-memory.dmp

    Filesize

    24KB

  • memory/1072-2-0x0000000000640000-0x0000000000646000-memory.dmp

    Filesize

    24KB

  • memory/1072-3-0x0000000000660000-0x0000000000666000-memory.dmp

    Filesize

    24KB

  • memory/1072-17-0x0000000000500000-0x000000000050E000-memory.dmp

    Filesize

    56KB

  • memory/3172-51-0x0000000000500000-0x000000000050E000-memory.dmp

    Filesize

    56KB