Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
08/03/2024, 15:27
Static task
static1
Behavioral task
behavioral1
Sample
2024-03-08_13eaf2f3080d0b45d0e204dac6866f79_cryptolocker.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-03-08_13eaf2f3080d0b45d0e204dac6866f79_cryptolocker.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-03-08_13eaf2f3080d0b45d0e204dac6866f79_cryptolocker.exe
-
Size
45KB
-
MD5
13eaf2f3080d0b45d0e204dac6866f79
-
SHA1
30d93273e8554782d243655eb396ec5ae248bc04
-
SHA256
00f35eb22416ab9f126697c7227c857155c4645e474f00584f5b2abd2a97a3e5
-
SHA512
986146905c3f79de2622aba6b38ab8e4b376429da974f78f606b6560c7a023315b5d0f39668af7d2488628db7f096c6659bf4c6901fdb1983039732cc5217f1b
-
SSDEEP
768:UEEmoQDj/xnMp+yptndwe/PWQtOOtEvwDpjIm8z2iaSIO/WZrEu/d+qmsUHQ1wsk:ZzFbxmLPWQMOtEvwDpj386Sj/WprqQ12
Malware Config
Signatures
-
Detection of CryptoLocker Variants 1 IoCs
resource yara_rule behavioral2/files/0x0008000000023206-13.dat CryptoLocker_rule2 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation 2024-03-08_13eaf2f3080d0b45d0e204dac6866f79_cryptolocker.exe -
Executes dropped EXE 1 IoCs
pid Process 4132 misid.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4756 wrote to memory of 4132 4756 2024-03-08_13eaf2f3080d0b45d0e204dac6866f79_cryptolocker.exe 89 PID 4756 wrote to memory of 4132 4756 2024-03-08_13eaf2f3080d0b45d0e204dac6866f79_cryptolocker.exe 89 PID 4756 wrote to memory of 4132 4756 2024-03-08_13eaf2f3080d0b45d0e204dac6866f79_cryptolocker.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-03-08_13eaf2f3080d0b45d0e204dac6866f79_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-08_13eaf2f3080d0b45d0e204dac6866f79_cryptolocker.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4756 -
C:\Users\Admin\AppData\Local\Temp\misid.exe"C:\Users\Admin\AppData\Local\Temp\misid.exe"2⤵
- Executes dropped EXE
PID:4132
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
45KB
MD5396c3dfcf7d13988bea46e7c0bf0b9ff
SHA100aad7fc3d2e094b50ab135bad221b9f6ff70b2a
SHA256552c57f0f8fa7fb90cfdfd1095cd3e9cf0f854578679f64dc518a84f609912c2
SHA512644f4c60bef44730c8dc050c52a56830a33d3e27c7f2252746a9196d712475667d2d569d53f34d86134433d8ee623783556e93f230f8c18ea226e443d6cc07e8