Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
11/03/2024, 23:25
Static task
static1
Behavioral task
behavioral1
Sample
2024-03-11_45f7dc3106f5b02791e9e54d25d0b68f_cryptolocker.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-03-11_45f7dc3106f5b02791e9e54d25d0b68f_cryptolocker.exe
Resource
win10v2004-20231215-en
General
-
Target
2024-03-11_45f7dc3106f5b02791e9e54d25d0b68f_cryptolocker.exe
-
Size
38KB
-
MD5
45f7dc3106f5b02791e9e54d25d0b68f
-
SHA1
218691d25354a28d37be061801550346ca443f81
-
SHA256
58fcd3c1dc9da6d1c9fc4411c8761f7f7cffdb14dd0dc1d5e0aabc9319de6bf2
-
SHA512
5c4ccffa56a260545ff56edb18dbd18e45d76bdd3427f0a2a459778bcf68335dc4351d185536750d08ff44e01b3f3e9e0801c7fcdc3c6b0c555f16daa11b0afa
-
SSDEEP
768:V6LsoEEeegiZPvEhHSG+gDYQtOOtEvwDpj/MLam5axJ0:V6QFElP6n+gMQMOtEvwDpjyaYaP0
Malware Config
Signatures
-
Detection of CryptoLocker Variants 2 IoCs
resource yara_rule behavioral2/files/0x000f000000023124-12.dat CryptoLocker_rule2 behavioral2/files/0x000f000000023124-15.dat CryptoLocker_rule2 -
Detection of Cryptolocker Samples 2 IoCs
resource yara_rule behavioral2/files/0x000f000000023124-12.dat CryptoLocker_set1 behavioral2/files/0x000f000000023124-15.dat CryptoLocker_set1 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation 2024-03-11_45f7dc3106f5b02791e9e54d25d0b68f_cryptolocker.exe -
Executes dropped EXE 1 IoCs
pid Process 4916 asih.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3148 wrote to memory of 4916 3148 2024-03-11_45f7dc3106f5b02791e9e54d25d0b68f_cryptolocker.exe 85 PID 3148 wrote to memory of 4916 3148 2024-03-11_45f7dc3106f5b02791e9e54d25d0b68f_cryptolocker.exe 85 PID 3148 wrote to memory of 4916 3148 2024-03-11_45f7dc3106f5b02791e9e54d25d0b68f_cryptolocker.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-03-11_45f7dc3106f5b02791e9e54d25d0b68f_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-11_45f7dc3106f5b02791e9e54d25d0b68f_cryptolocker.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3148 -
C:\Users\Admin\AppData\Local\Temp\asih.exe"C:\Users\Admin\AppData\Local\Temp\asih.exe"2⤵
- Executes dropped EXE
PID:4916
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
38KB
MD580f897ae608b453a6cd0d80b0170bd03
SHA190a4680df94d9b420f576138695480b2e10551a3
SHA256dc23d806732d6d907a7845e8ae3e3cee8c6fdfd8424669857317cd83d67dda1b
SHA512ff933acf51d432f8e8d14f4a00eecd297fcf0c37180932b92cdc4f63b60102df559ef18246ff740a545900d3066921459a5d85f3195225cd897ac1d87eb9943d
-
Filesize
34KB
MD592e1c19c80a64a9079034097b56d9739
SHA13aae5847df8dcd01b46934853ab17a17ffd1f4ff
SHA256dd5b53382354478c77f315cda503570df6735caef037213dca4351fdd0e83f85
SHA512e5432952cb281303d2f667565dbf3e921723825965f041bc5ad01bd55d14283870bc9c9e02b9af39afbd90d7a5ee159195bcd7d3db97a515b7666174c2502713