Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
15/04/2024, 12:02 UTC
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-15_cc1a18fabb960c215d97fc94d8965877_cryptolocker.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-04-15_cc1a18fabb960c215d97fc94d8965877_cryptolocker.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-04-15_cc1a18fabb960c215d97fc94d8965877_cryptolocker.exe
-
Size
94KB
-
MD5
cc1a18fabb960c215d97fc94d8965877
-
SHA1
ecfe1ea4540642428b6d1579c92b1910b858c86a
-
SHA256
d819174d1c295682a4d192fd28759a2f6920fae132ebb07c49f787d7a787d3be
-
SHA512
4476be96162cfaffbfd56a716b4d110e4f05290f3235af3856e896e77377135eea24b953317c139f061c55617e99006277c518f0b412748d547f769b1a5eea5a
-
SSDEEP
1536:V6QFElP6n+gMQMOtEvwDpjQGYQbN/PKwMgo:V6a+pOtEvwDpjtzE
Malware Config
Signatures
-
Detection of CryptoLocker Variants 1 IoCs
resource yara_rule behavioral2/files/0x000a00000001ea83-12.dat CryptoLocker_rule2 -
Detection of Cryptolocker Samples 1 IoCs
resource yara_rule behavioral2/files/0x000a00000001ea83-12.dat CryptoLocker_set1 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 2024-04-15_cc1a18fabb960c215d97fc94d8965877_cryptolocker.exe -
Executes dropped EXE 1 IoCs
pid Process 4972 asih.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2260 wrote to memory of 4972 2260 2024-04-15_cc1a18fabb960c215d97fc94d8965877_cryptolocker.exe 91 PID 2260 wrote to memory of 4972 2260 2024-04-15_cc1a18fabb960c215d97fc94d8965877_cryptolocker.exe 91 PID 2260 wrote to memory of 4972 2260 2024-04-15_cc1a18fabb960c215d97fc94d8965877_cryptolocker.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-15_cc1a18fabb960c215d97fc94d8965877_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-15_cc1a18fabb960c215d97fc94d8965877_cryptolocker.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Users\Admin\AppData\Local\Temp\asih.exe"C:\Users\Admin\AppData\Local\Temp\asih.exe"2⤵
- Executes dropped EXE
PID:4972
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3904 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:81⤵PID:5544
Network
-
Remote address:8.8.8.8:53Request97.17.167.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request37.56.20.217.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestemrlogistics.comIN AResponseemrlogistics.comIN CNAMEtraff-1.hugedomains.comtraff-1.hugedomains.comIN CNAMEhdr-nlb9-41371129e8304c29.elb.us-east-1.amazonaws.comhdr-nlb9-41371129e8304c29.elb.us-east-1.amazonaws.comIN A52.71.57.184hdr-nlb9-41371129e8304c29.elb.us-east-1.amazonaws.comIN A54.209.32.212
-
Remote address:8.8.8.8:53Request23.159.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request28.118.140.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request232.168.11.51.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request86.23.85.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request18.31.95.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request249.197.17.2.in-addr.arpaIN PTRResponse249.197.17.2.in-addr.arpaIN PTRa2-17-197-249deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request19.229.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request215.143.182.52.in-addr.arpaIN PTRResponse
-
260 B 5
-
46 B 40 B 1 1
-
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
71 B 145 B 1 1
DNS Request
97.17.167.52.in-addr.arpa
-
71 B 131 B 1 1
DNS Request
37.56.20.217.in-addr.arpa
-
62 B 192 B 1 1
DNS Request
emrlogistics.com
DNS Response
52.71.57.18454.209.32.212
-
72 B 158 B 1 1
DNS Request
23.159.190.20.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
28.118.140.52.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
232.168.11.51.in-addr.arpa
-
70 B 144 B 1 1
DNS Request
18.31.95.13.in-addr.arpa
-
70 B 144 B 1 1
DNS Request
86.23.85.13.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.210.232.199.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
249.197.17.2.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
19.229.111.52.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
215.143.182.52.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
94KB
MD5a0a055586aabe1e277e54ba968193993
SHA183c842b99f8faf0455fe15d34a4947719c1242a7
SHA25617e92511b42a13e09f31e2ae34d6828d07a8245cd0b96efa0b42a3c7e28679f7
SHA5120fe9eb71309d1c36373814d6c9ab5d07d0a3a2e08ec3f19ed95fafa3e249eb146bb5c8a9478600dd91464e5bc025ec6cd396c2c25d0ae0b01e58880f3ffbe21d