Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
14/03/2024, 11:43
Static task
static1
Behavioral task
behavioral1
Sample
2024-03-14_96f3ab8c3dc0a5e9494a435d431be9f2_cryptolocker.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-03-14_96f3ab8c3dc0a5e9494a435d431be9f2_cryptolocker.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-03-14_96f3ab8c3dc0a5e9494a435d431be9f2_cryptolocker.exe
-
Size
43KB
-
MD5
96f3ab8c3dc0a5e9494a435d431be9f2
-
SHA1
57bedeed3c74de5325835d3fc9a9640641f13d7c
-
SHA256
d7bf4ab9d33b0bf92042c89ddfc52ab85f9298a8edfaba1640aa3c5a8e7b249e
-
SHA512
19090495769795e82d46d892202913e01e9a8dc7907adbd3eba1e0b1efcfe06e0900d1f00c1e4e540db2223416c0e9a859789069b44dca80e569838bb7046923
-
SSDEEP
768:P6LsoEEeegiZPvEhHS5+Mh/QtOOtEvwDpjBpaD3TUogs/VXpAPN:P6QFElP6k+MRQMOtEvwDpjBQpVXs
Malware Config
Signatures
-
Detection of CryptoLocker Variants 5 IoCs
resource yara_rule behavioral2/memory/3404-0-0x0000000000500000-0x000000000050B000-memory.dmp CryptoLocker_rule2 behavioral2/files/0x000400000001e980-13.dat CryptoLocker_rule2 behavioral2/memory/2000-18-0x0000000000500000-0x000000000050B000-memory.dmp CryptoLocker_rule2 behavioral2/memory/3404-17-0x0000000000500000-0x000000000050B000-memory.dmp CryptoLocker_rule2 behavioral2/memory/2000-27-0x0000000000500000-0x000000000050B000-memory.dmp CryptoLocker_rule2 -
Detection of Cryptolocker Samples 5 IoCs
resource yara_rule behavioral2/memory/3404-0-0x0000000000500000-0x000000000050B000-memory.dmp CryptoLocker_set1 behavioral2/files/0x000400000001e980-13.dat CryptoLocker_set1 behavioral2/memory/2000-18-0x0000000000500000-0x000000000050B000-memory.dmp CryptoLocker_set1 behavioral2/memory/3404-17-0x0000000000500000-0x000000000050B000-memory.dmp CryptoLocker_set1 behavioral2/memory/2000-27-0x0000000000500000-0x000000000050B000-memory.dmp CryptoLocker_set1 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation 2024-03-14_96f3ab8c3dc0a5e9494a435d431be9f2_cryptolocker.exe -
Executes dropped EXE 1 IoCs
pid Process 2000 asih.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3404 wrote to memory of 2000 3404 2024-03-14_96f3ab8c3dc0a5e9494a435d431be9f2_cryptolocker.exe 88 PID 3404 wrote to memory of 2000 3404 2024-03-14_96f3ab8c3dc0a5e9494a435d431be9f2_cryptolocker.exe 88 PID 3404 wrote to memory of 2000 3404 2024-03-14_96f3ab8c3dc0a5e9494a435d431be9f2_cryptolocker.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-03-14_96f3ab8c3dc0a5e9494a435d431be9f2_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-14_96f3ab8c3dc0a5e9494a435d431be9f2_cryptolocker.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3404 -
C:\Users\Admin\AppData\Local\Temp\asih.exe"C:\Users\Admin\AppData\Local\Temp\asih.exe"2⤵
- Executes dropped EXE
PID:2000
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
43KB
MD5e25d608c258f2848bac562710307de08
SHA18768dd45d6709332c3ce914ae6b4dc3b01ca3bbb
SHA2562aeabbd182d788c40cbbe21043b63d74d30072f58635b35953bd555391bb2d28
SHA51267a60135307fdf3ab11daf5a44fa2f248b4e59f47f95983b5d1064e1ea8edc4c61c3aa72cf363fd20c1ddc1277722a954d34c46b3d968736caea80be71d922a9