Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/04/2024, 09:31

General

  • Target

    2024-04-15_1c0137b78391abadb9761c040b566331_cryptolocker.exe

  • Size

    62KB

  • MD5

    1c0137b78391abadb9761c040b566331

  • SHA1

    0e4e2991d72a83ef76f5ec901f6d02b87ba92716

  • SHA256

    4006faa00871b765909871f010c0aaae234463d8c91732375c5d18391afb6ea6

  • SHA512

    208f790a72beeedaabdbf1f99d63f9a6e4b546a569123e8bbccb144da5f4f0a0ae03e07d9261a23b2d5f0608fe3a85709d624223bd731d1b610c7cd3bf41b6ff

  • SSDEEP

    1536:qmbhXDmjr5MOtEvwDpj5cDtKkQZQRKb61vSbgtsiP:BbdDmjr+OtEvwDpjM8a

Score
9/10

Malware Config

Signatures

  • Detection of CryptoLocker Variants 5 IoCs
  • Detection of Cryptolocker Samples 3 IoCs
  • UPX dump on OEP (original entry point) 5 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-15_1c0137b78391abadb9761c040b566331_cryptolocker.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-15_1c0137b78391abadb9761c040b566331_cryptolocker.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3944
    • C:\Users\Admin\AppData\Local\Temp\asih.exe
      "C:\Users\Admin\AppData\Local\Temp\asih.exe"
      2⤵
      • Executes dropped EXE
      PID:2764

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\asih.exe

    Filesize

    62KB

    MD5

    eb405c7876e29bd9c443402054d4fb6b

    SHA1

    403cc56cb9f4430606f5c89e952123252e453e4d

    SHA256

    9f4ed5f15034fb3bea7d950e31f5347ed94db387333f19dc43611ac825a97783

    SHA512

    534c9e320a5bb55c89083f800eb5deaa1989388564d32fa15a958785fcbdaed64d1496792d9fa175fb10bacdd555e9f983a6ac8e724d27039fbf39d8c6676aa7

  • memory/2764-17-0x0000000000500000-0x0000000000510000-memory.dmp

    Filesize

    64KB

  • memory/2764-20-0x00000000020E0000-0x00000000020E6000-memory.dmp

    Filesize

    24KB

  • memory/2764-25-0x0000000000660000-0x0000000000666000-memory.dmp

    Filesize

    24KB

  • memory/2764-27-0x0000000000500000-0x0000000000510000-memory.dmp

    Filesize

    64KB

  • memory/3944-0-0x0000000000500000-0x0000000000510000-memory.dmp

    Filesize

    64KB

  • memory/3944-1-0x0000000000590000-0x0000000000596000-memory.dmp

    Filesize

    24KB

  • memory/3944-2-0x0000000000590000-0x0000000000596000-memory.dmp

    Filesize

    24KB

  • memory/3944-3-0x00000000005B0000-0x00000000005B6000-memory.dmp

    Filesize

    24KB

  • memory/3944-18-0x0000000000500000-0x0000000000510000-memory.dmp

    Filesize

    64KB