Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
17/04/2024, 05:30
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-17_1e098a91f5deba98f586a01e2b2206ba_cryptolocker.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-04-17_1e098a91f5deba98f586a01e2b2206ba_cryptolocker.exe
Resource
win10v2004-20240412-en
General
-
Target
2024-04-17_1e098a91f5deba98f586a01e2b2206ba_cryptolocker.exe
-
Size
33KB
-
MD5
1e098a91f5deba98f586a01e2b2206ba
-
SHA1
5063a0c4f10761292b4eb8bf8def94ff00034b2f
-
SHA256
0bc398c17feb0dc8a948419b48eb013cc133e2c14bd83e27974ae394f555f377
-
SHA512
bc69df6db67952696e1ba387cace5fd3959003650b2b9279e542f5eafe30821564b7b32c8da18963344f3b53dce22d1e681d91cb3675412b0e4fda2dc43f9116
-
SSDEEP
384:bAvMaNGh4z7CG3POOvbRSLoF/F0QU5XYFnufc/zzo6cuM9gxrW:bAvJCYOOvbRPDEgXRcuM9gxa
Malware Config
Signatures
-
Detection of CryptoLocker Variants 1 IoCs
resource yara_rule behavioral2/files/0x000300000001e9b1-12.dat CryptoLocker_rule2 -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation 2024-04-17_1e098a91f5deba98f586a01e2b2206ba_cryptolocker.exe Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation demka.exe -
Executes dropped EXE 1 IoCs
pid Process 1408 demka.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4788 wrote to memory of 1408 4788 2024-04-17_1e098a91f5deba98f586a01e2b2206ba_cryptolocker.exe 87 PID 4788 wrote to memory of 1408 4788 2024-04-17_1e098a91f5deba98f586a01e2b2206ba_cryptolocker.exe 87 PID 4788 wrote to memory of 1408 4788 2024-04-17_1e098a91f5deba98f586a01e2b2206ba_cryptolocker.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-17_1e098a91f5deba98f586a01e2b2206ba_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-17_1e098a91f5deba98f586a01e2b2206ba_cryptolocker.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4788 -
C:\Users\Admin\AppData\Local\Temp\demka.exe"C:\Users\Admin\AppData\Local\Temp\demka.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
PID:1408
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
34KB
MD5c412382b8f543f3d11ae17fd6e59b169
SHA1fc00fb65d8c790fe093beb011ec0e58715c62895
SHA256a0f7234c8e146726a9af0caaf249364badf34eefb5241f8cee4737cc74ab10fc
SHA51289bf44da50a69b8a21568a1a80143b01db2fdcc5c742d5135359b12a12a0075826d47dd3a9d04419acf8bad41cef12cb9fa9b5ffabe2e45d6f5c646a31bf17a4