Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
93s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
28/04/2024, 03:50
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-28_c0bb7de9ce856c58c51e50c2ab2caf8d_cryptolocker.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
2024-04-28_c0bb7de9ce856c58c51e50c2ab2caf8d_cryptolocker.exe
Resource
win10v2004-20240426-en
General
-
Target
2024-04-28_c0bb7de9ce856c58c51e50c2ab2caf8d_cryptolocker.exe
-
Size
35KB
-
MD5
c0bb7de9ce856c58c51e50c2ab2caf8d
-
SHA1
1822dacf84660b9085121c3f206b6083e5d79069
-
SHA256
a7e359ff2252b3ec9268876f4154690ef52619e0238ff0542540bf9b3883ae62
-
SHA512
e7f49edd054fd175780f5956e9299cf6b8b2649066d947848dec093f0ee36928d9c31a6c002a0a506cc4b8f42afe702b0aae4420a429eda550ab99f48c02adf9
-
SSDEEP
384:btBYQg/WIEhUCSNyepEjYnDOAlzVol6U/zzo+tkq4l8tFFxE2B0qZ9:btB9g/WItCSsAGjX7r3BTZ9
Malware Config
Signatures
-
Detection of CryptoLocker Variants 1 IoCs
resource yara_rule behavioral2/files/0x0009000000023400-12.dat CryptoLocker_rule2 -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation 2024-04-28_c0bb7de9ce856c58c51e50c2ab2caf8d_cryptolocker.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation gewos.exe -
Executes dropped EXE 1 IoCs
pid Process 2160 gewos.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4520 wrote to memory of 2160 4520 2024-04-28_c0bb7de9ce856c58c51e50c2ab2caf8d_cryptolocker.exe 84 PID 4520 wrote to memory of 2160 4520 2024-04-28_c0bb7de9ce856c58c51e50c2ab2caf8d_cryptolocker.exe 84 PID 4520 wrote to memory of 2160 4520 2024-04-28_c0bb7de9ce856c58c51e50c2ab2caf8d_cryptolocker.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-28_c0bb7de9ce856c58c51e50c2ab2caf8d_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-28_c0bb7de9ce856c58c51e50c2ab2caf8d_cryptolocker.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4520 -
C:\Users\Admin\AppData\Local\Temp\gewos.exe"C:\Users\Admin\AppData\Local\Temp\gewos.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
PID:2160
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
35KB
MD593bd80f7fcced6ab7b908e41c3139787
SHA1f183341ab27e1dcf2541e30203614d1e1f2756a1
SHA2562fba5528e107799e68110e417f2852b50cb1859ee90a5f7691ee888f40162b78
SHA512881d266d661d599aee9950c59347300482e0a55bcca1a0c3c51c1396ff49b67edfa899db554ee3c8673f0736736023d1c0fc7bc9c53838c6d4b4518980536a44