Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
12/03/2024, 12:45
Static task
static1
Behavioral task
behavioral1
Sample
2024-03-12_b0138e1da5fdb3af970fa9848a2a913c_cryptolocker.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
2024-03-12_b0138e1da5fdb3af970fa9848a2a913c_cryptolocker.exe
Resource
win10v2004-20231215-en
General
-
Target
2024-03-12_b0138e1da5fdb3af970fa9848a2a913c_cryptolocker.exe
-
Size
128KB
-
MD5
b0138e1da5fdb3af970fa9848a2a913c
-
SHA1
849b5e65e59932c6efcfcc76ba5d71a35bd47235
-
SHA256
491187444a1dbfec709afb612008e72e3027f5d6f9eaecbcef012db8d33b5a51
-
SHA512
2cbe578a1992bcfbedea90bb92908a4dd9daaa566f47a1f9034c35405cfec2056c88af1a30d4511c390d767909c64f70ba6d1f54293a136d9af40c468acccdf1
-
SSDEEP
1536:vj+jsMQMOtEvwDpj5HwYYTjipvF2hBfIuBKLUYOVbvh//6:vCjsIOtEvwDpj5H9YvQd2RA
Malware Config
Signatures
-
Detection of CryptoLocker Variants 1 IoCs
resource yara_rule behavioral2/files/0x000d00000002315a-12.dat CryptoLocker_rule2 -
Detection of Cryptolocker Samples 1 IoCs
resource yara_rule behavioral2/files/0x000d00000002315a-12.dat CryptoLocker_set1 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation 2024-03-12_b0138e1da5fdb3af970fa9848a2a913c_cryptolocker.exe -
Executes dropped EXE 1 IoCs
pid Process 3076 misid.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3212 wrote to memory of 3076 3212 2024-03-12_b0138e1da5fdb3af970fa9848a2a913c_cryptolocker.exe 84 PID 3212 wrote to memory of 3076 3212 2024-03-12_b0138e1da5fdb3af970fa9848a2a913c_cryptolocker.exe 84 PID 3212 wrote to memory of 3076 3212 2024-03-12_b0138e1da5fdb3af970fa9848a2a913c_cryptolocker.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-03-12_b0138e1da5fdb3af970fa9848a2a913c_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-12_b0138e1da5fdb3af970fa9848a2a913c_cryptolocker.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3212 -
C:\Users\Admin\AppData\Local\Temp\misid.exe"C:\Users\Admin\AppData\Local\Temp\misid.exe"2⤵
- Executes dropped EXE
PID:3076
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129KB
MD534724ba3578489054675934c1d449406
SHA16a58dff90aa0bff3c1e639cd4230e8b04f103ba7
SHA2567cb06bb938db64c3401d91488f2a37cefc09dd16752e6fe38d35dd5b77125b5f
SHA5120e0c44ff52cee9ab7cfa2f9155910d4196fa629394bc38d4fe8db630450a2bf8c62b0c83f2145c099f2addd1479bccde153f40f933fb1f3da20afeb0d0e0a5ec