Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
29/03/2024, 16:36
Static task
static1
Behavioral task
behavioral1
Sample
2024-03-29_2fcfe5fc16bb7d0d246a506cdbc83cce_cryptolocker.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-03-29_2fcfe5fc16bb7d0d246a506cdbc83cce_cryptolocker.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-03-29_2fcfe5fc16bb7d0d246a506cdbc83cce_cryptolocker.exe
-
Size
46KB
-
MD5
2fcfe5fc16bb7d0d246a506cdbc83cce
-
SHA1
6b5413586aeb8aaf9d9a72e7507072a854551f17
-
SHA256
b474e4a2123c8ee0b269c3059ad6319e8f8fb6bbeefbf1ad120e90c16a5c6159
-
SHA512
ccc44f95e37409db68820c1bef71fdf2ce981949bcd978ba133f850b6bb79344d003dff61619a5ed31b1af408e0211ef1f1ca9608aee14b4e2873ddd20c56f3a
-
SSDEEP
768:wHGGaSawqnwjRQ6ESlmFOsPoOdQtOOtEvwDpjm6j4AYsqSh+DETkedmhXSj:YGzl5wjRQBBOsP1QMOtEvwDpjl39+D+l
Malware Config
Signatures
-
Detection of CryptoLocker Variants 4 IoCs
resource yara_rule behavioral2/memory/1996-0-0x0000000000500000-0x000000000050B000-memory.dmp CryptoLocker_rule2 behavioral2/files/0x000c00000002304c-13.dat CryptoLocker_rule2 behavioral2/memory/3720-18-0x0000000000500000-0x000000000050B000-memory.dmp CryptoLocker_rule2 behavioral2/memory/1996-17-0x0000000000500000-0x000000000050B000-memory.dmp CryptoLocker_rule2 -
Detection of Cryptolocker Samples 4 IoCs
resource yara_rule behavioral2/memory/1996-0-0x0000000000500000-0x000000000050B000-memory.dmp CryptoLocker_set1 behavioral2/files/0x000c00000002304c-13.dat CryptoLocker_set1 behavioral2/memory/3720-18-0x0000000000500000-0x000000000050B000-memory.dmp CryptoLocker_set1 behavioral2/memory/1996-17-0x0000000000500000-0x000000000050B000-memory.dmp CryptoLocker_set1 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation 2024-03-29_2fcfe5fc16bb7d0d246a506cdbc83cce_cryptolocker.exe -
Executes dropped EXE 1 IoCs
pid Process 3720 asih.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1996 wrote to memory of 3720 1996 2024-03-29_2fcfe5fc16bb7d0d246a506cdbc83cce_cryptolocker.exe 85 PID 1996 wrote to memory of 3720 1996 2024-03-29_2fcfe5fc16bb7d0d246a506cdbc83cce_cryptolocker.exe 85 PID 1996 wrote to memory of 3720 1996 2024-03-29_2fcfe5fc16bb7d0d246a506cdbc83cce_cryptolocker.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-03-29_2fcfe5fc16bb7d0d246a506cdbc83cce_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-29_2fcfe5fc16bb7d0d246a506cdbc83cce_cryptolocker.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Users\Admin\AppData\Local\Temp\asih.exe"C:\Users\Admin\AppData\Local\Temp\asih.exe"2⤵
- Executes dropped EXE
PID:3720
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
46KB
MD52359254efe317b8a619a2b533de9fce1
SHA1ef85bb8da48ff8b800c43224c4ee24bc6850029a
SHA2562d1128b891241dde42b8fd7691739875664b3ba41cd4b1c49f6e091b961aad9c
SHA5122422a078881e6d78dbe01f1f926a01e26e1c4b350babeba08a651ae8d30cabcb11361cf5b37e0af1d8f424f8ca55f24674f57bc0a04d7da8301f1feddca4b862