Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
21/04/2024, 01:00
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-21_2d3b7a94d371bdb0e875337b2c5d62df_cryptolocker.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-04-21_2d3b7a94d371bdb0e875337b2c5d62df_cryptolocker.exe
Resource
win10v2004-20240412-en
General
-
Target
2024-04-21_2d3b7a94d371bdb0e875337b2c5d62df_cryptolocker.exe
-
Size
39KB
-
MD5
2d3b7a94d371bdb0e875337b2c5d62df
-
SHA1
e9a4b43d8990b9a385540cc8c21509fc427b65eb
-
SHA256
f7ef7492acd64edebd38128e8132f58e198ba40005f631696dbf5a25265866d9
-
SHA512
3b5db9276afec7d579b4eb3dd16e291b67d235c794830c1c7c739a1e6104216f549883cc597d39045067675344314355719c629aa776125c57331f6cfb417c5b
-
SSDEEP
768:wHGGaSawqnwjRQ6ESlmFOsPoOdQtOOtEvwDpjm6WaJIOc+UPPEkLNWL:YGzl5wjRQBBOsP1QMOtEvwDpjgarrkL+
Malware Config
Signatures
-
Detection of CryptoLocker Variants 4 IoCs
resource yara_rule behavioral2/memory/712-0-0x0000000000500000-0x000000000050B000-memory.dmp CryptoLocker_rule2 behavioral2/files/0x000300000001e970-13.dat CryptoLocker_rule2 behavioral2/memory/3952-17-0x0000000000500000-0x000000000050B000-memory.dmp CryptoLocker_rule2 behavioral2/memory/712-18-0x0000000000500000-0x000000000050B000-memory.dmp CryptoLocker_rule2 -
Detection of Cryptolocker Samples 4 IoCs
resource yara_rule behavioral2/memory/712-0-0x0000000000500000-0x000000000050B000-memory.dmp CryptoLocker_set1 behavioral2/files/0x000300000001e970-13.dat CryptoLocker_set1 behavioral2/memory/3952-17-0x0000000000500000-0x000000000050B000-memory.dmp CryptoLocker_set1 behavioral2/memory/712-18-0x0000000000500000-0x000000000050B000-memory.dmp CryptoLocker_set1 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation 2024-04-21_2d3b7a94d371bdb0e875337b2c5d62df_cryptolocker.exe -
Executes dropped EXE 1 IoCs
pid Process 3952 asih.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 712 wrote to memory of 3952 712 2024-04-21_2d3b7a94d371bdb0e875337b2c5d62df_cryptolocker.exe 86 PID 712 wrote to memory of 3952 712 2024-04-21_2d3b7a94d371bdb0e875337b2c5d62df_cryptolocker.exe 86 PID 712 wrote to memory of 3952 712 2024-04-21_2d3b7a94d371bdb0e875337b2c5d62df_cryptolocker.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-21_2d3b7a94d371bdb0e875337b2c5d62df_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-21_2d3b7a94d371bdb0e875337b2c5d62df_cryptolocker.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:712 -
C:\Users\Admin\AppData\Local\Temp\asih.exe"C:\Users\Admin\AppData\Local\Temp\asih.exe"2⤵
- Executes dropped EXE
PID:3952
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
39KB
MD5450ad71453c46244a00e0b21c13e19d8
SHA1cc138b6b26f80b354af0e6226ecfd24d03afd204
SHA256a7e3e9f2491266c00a217179d578740fe69410db8763ec6f107136b220628d9e
SHA5120fe5f6e48301607cf767f0188d2f9da4bb06a96cc43f103cd2072cf2bc4434913a926a51550665100e81198a119cbd6af9a0d4cbd1c2b57badde0280359966bc