Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

2024-03-26...er.exe

windows7-x64

9

2024-03-26...er.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/03/2024, 23:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-03-26_b3b374d924d026ef0aa83e2a9859556c_cryptolocker.exe

  • Size

    33KB

  • MD5

    b3b374d924d026ef0aa83e2a9859556c

  • SHA1

    4354ae36f6d8ad42c4258dc039bfcf33e8a792cf

  • SHA256

    86571e3a12f4369c32db5c276d245d10533f0d27a3125d5f20fac5de6bdb7db7

  • SHA512

    885b0d5a3f513ecd84c3d0e2cfaa67ac1527f90434cef89886a1bce4e6144e66ccd4ba51663f2bcd2df354d20a0b6bfa2096829f5b0403eb0948423c37a7ed4b

  • SSDEEP

    384:bA74uGLLQRcsdeQ72ngEr4K7YmE8j60nrlwfjDUgIunvsYo83:bA74zYcgT/Ekd0ryfjPIunvsi3

Score
9/10

Malware Config

Signatures

  • Detection of CryptoLocker Variants 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-03-26_b3b374d924d026ef0aa83e2a9859556c_cryptolocker.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-03-26_b3b374d924d026ef0aa83e2a9859556c_cryptolocker.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1116
    • C:\Users\Admin\AppData\Local\Temp\hasfj.exe
      "C:\Users\Admin\AppData\Local\Temp\hasfj.exe"
      2⤵
      • Executes dropped EXE
      PID:2960

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\hasfj.exe
    Filesize

    33KB

    MD5

    9f7d3b03d73a42f29e70d3ce0a4657d7

    SHA1

    dcbbf814cdbb533878e393c12d67e44e3432ba51

    SHA256

    c11c038bf6bf7c61f89d9b3e8cf2510143fadfedd7c60121424d7c709bd78a0b

    SHA512

    6c4bfb5dfce4a195c23c0dff70fc02b8ff59e9c02c9e95442e2e280dc445d2e3df8f41daf5ce0ea415d32c4150750ad9669268153b151afab82d0e6c8774f38c

    Download Submit

  • memory/1116-0-0x0000000002EA0000-0x0000000002EA6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1116-1-0x0000000002EA0000-0x0000000002EA6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1116-2-0x0000000003150000-0x0000000003156000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2960-17-0x00000000021D0000-0x00000000021D6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2960-21-0x0000000002110000-0x0000000002116000-memory.dmp

    Filesize

    24KB

    Download