Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07/03/2024, 00:56
Static task
static1
Behavioral task
behavioral1
Sample
2024-03-07_a2c4cfe593ae221aa9375a5a8d553802_cryptolocker.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-03-07_a2c4cfe593ae221aa9375a5a8d553802_cryptolocker.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-03-07_a2c4cfe593ae221aa9375a5a8d553802_cryptolocker.exe
-
Size
49KB
-
MD5
a2c4cfe593ae221aa9375a5a8d553802
-
SHA1
b43d2ae47e95c6900dc741e021eb221d2b8c3d26
-
SHA256
2f7b4c47477b01776fdc86aed4ffb7a0b0ad35ed9dcb96e73c044dfbab2f918f
-
SHA512
2087227d6c8201e27abb231cfb11da4d071cbaa187a2db80ffcfbe053fb60de820221412e539ecd89bb9e5c8478d805ab2b317374b4f77cb313480303a9986c5
-
SSDEEP
1536:o1KhxqwtdgI2MyzNORQtOflIwoHNV2XBFV72BOlA7ZszsbKY1xzpAIBm:aq7tdgI2MyzNORQtOflIwoHNV2XBFV7P
Malware Config
Signatures
-
Detection of CryptoLocker Variants 1 IoCs
resource yara_rule behavioral2/files/0x000400000001e5eb-12.dat CryptoLocker_rule2 -
Detection of Cryptolocker Samples 1 IoCs
resource yara_rule behavioral2/files/0x000400000001e5eb-12.dat CryptoLocker_set1 -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation 2024-03-07_a2c4cfe593ae221aa9375a5a8d553802_cryptolocker.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation hurok.exe -
Executes dropped EXE 1 IoCs
pid Process 984 hurok.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3156 wrote to memory of 984 3156 2024-03-07_a2c4cfe593ae221aa9375a5a8d553802_cryptolocker.exe 88 PID 3156 wrote to memory of 984 3156 2024-03-07_a2c4cfe593ae221aa9375a5a8d553802_cryptolocker.exe 88 PID 3156 wrote to memory of 984 3156 2024-03-07_a2c4cfe593ae221aa9375a5a8d553802_cryptolocker.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-03-07_a2c4cfe593ae221aa9375a5a8d553802_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-07_a2c4cfe593ae221aa9375a5a8d553802_cryptolocker.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3156 -
C:\Users\Admin\AppData\Local\Temp\hurok.exe"C:\Users\Admin\AppData\Local\Temp\hurok.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
PID:984
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
50KB
MD5b76dcd3585902db31033f020761143c8
SHA1fd5712b418999b3c8a4827ce27ab2e57011aa71f
SHA2560a7a1dcf1ec42ebda68a32cfde227682f0609696c4ca72d87cc964c0cd861f8a
SHA512e9cb7fbc0590f6c3cf9ce314bef5f2c4927de7792272da70efef04fc8b6f57300a3b641d76bfe906364973f3ba4246d37d7e06b58b1d1db68385ff05f2157dab