Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    142s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/03/2024, 05:53

General

  • Target

    2024-03-11_aa01992c752cd5389bbf54168aa9537b_cryptolocker.exe

  • Size

    78KB

  • MD5

    aa01992c752cd5389bbf54168aa9537b

  • SHA1

    facffa8a3c6b20e54258fd7fd1e4cd8decac887b

  • SHA256

    15c08bfc517bcf5d8fe5e801504e1edf1da893c8b76dc8aa25c3bfb39d542eac

  • SHA512

    fee7a5da10cf23599cc63a8f537545e17c0b30f353f72c7e69f06701dc6de14b6c4d8de5070ef33d57362c3bade8ec09ff38b3e83b8827d25a3cc7a9666c2647

  • SSDEEP

    1536:ZzFbxmLPWQMOtEvwDpj386Sj/WprgJN6tZdOyJ3KEWTPP:ZVxkGOtEvwDpjcaxK

Score
9/10

Malware Config

Signatures

  • Detection of CryptoLocker Variants 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-03-11_aa01992c752cd5389bbf54168aa9537b_cryptolocker.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-03-11_aa01992c752cd5389bbf54168aa9537b_cryptolocker.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3592
    • C:\Users\Admin\AppData\Local\Temp\misid.exe
      "C:\Users\Admin\AppData\Local\Temp\misid.exe"
      2⤵
      • Executes dropped EXE
      PID:920
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3992 --field-trial-handle=2276,i,5697607538120380977,9987005253899555344,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:1620

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\misid.exe

      Filesize

      78KB

      MD5

      12bbb0ef2234d35dc8289df832f66730

      SHA1

      70b67f2c26295688b24c3012c886b94411cd99ce

      SHA256

      9c4e448209c504fc6cc22ce190edf214b1c45a746d289e6ae808a8d9e5e2ae67

      SHA512

      c99902a77d8f5014ef1e8da64ce16e0e9c39737c7bc1e59f946a64daff4a132b54a69cb3954ed86eca892f5004ffa03453ddfbdc709d395f84dcbf54e83700dd

    • C:\Users\Admin\AppData\Local\Temp\misid.exe

      Filesize

      19KB

      MD5

      6d43bffeeee2c318a31fbe79c78f831f

      SHA1

      d77cafb4dd4b12f03b4afdfa1befed3848b43ab6

      SHA256

      658ae1bf624830c34a17fa8b6a6810823f609b271a36c35f3769e42c019d171b

      SHA512

      975a8c23c395a3569620550ba30dbafc62cc1bc6bd9b67f33e1e45d4643a9c559b0cd71d96f50d28e9a702f8d2b90d5bff9c2dff0013bffa3d024ab90c3db38e

    • memory/920-17-0x0000000000450000-0x0000000000453000-memory.dmp

      Filesize

      12KB

    • memory/920-20-0x0000000000510000-0x0000000000516000-memory.dmp

      Filesize

      24KB

    • memory/920-22-0x00000000004E0000-0x00000000004E6000-memory.dmp

      Filesize

      24KB

    • memory/3592-0-0x00000000004E0000-0x00000000004E3000-memory.dmp

      Filesize

      12KB

    • memory/3592-1-0x0000000002220000-0x0000000002226000-memory.dmp

      Filesize

      24KB

    • memory/3592-2-0x0000000002220000-0x0000000002226000-memory.dmp

      Filesize

      24KB

    • memory/3592-3-0x0000000002250000-0x0000000002256000-memory.dmp

      Filesize

      24KB

    • memory/3592-19-0x00000000004E0000-0x00000000004E3000-memory.dmp

      Filesize

      12KB