Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
11/05/2024, 20:23
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-11_22f84ec802be3fff8e3e2a1b0eecff69_cryptolocker.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
2024-05-11_22f84ec802be3fff8e3e2a1b0eecff69_cryptolocker.exe
Resource
win10v2004-20240426-en
General
-
Target
2024-05-11_22f84ec802be3fff8e3e2a1b0eecff69_cryptolocker.exe
-
Size
54KB
-
MD5
22f84ec802be3fff8e3e2a1b0eecff69
-
SHA1
48d7a5bac0cd7e9c74451dbb31745e4c8090a83a
-
SHA256
5e23324643cb25bced58d86f5db882bb662add439004f550fec836efd1edb76e
-
SHA512
aac23f68152786169125c7aaccf7e746975a3eb826cf390adad8990c270746b4b3bbe52c668a59d568df338a1a205f3a5d364b8ad5f0a1a333b397e3f30f2c35
-
SSDEEP
768:bIDOw9UiaCHfjnE0Sfa7ilR0p9u6p4ICNBCXK9Xv+mb6uXsl:bIDOw9a0DwitDZzc16j
Malware Config
Signatures
-
Detection of CryptoLocker Variants 1 IoCs
resource yara_rule behavioral2/files/0x0006000000022fa8-12.dat CryptoLocker_rule2 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation 2024-05-11_22f84ec802be3fff8e3e2a1b0eecff69_cryptolocker.exe -
Executes dropped EXE 1 IoCs
pid Process 4912 lossy.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3952 wrote to memory of 4912 3952 2024-05-11_22f84ec802be3fff8e3e2a1b0eecff69_cryptolocker.exe 84 PID 3952 wrote to memory of 4912 3952 2024-05-11_22f84ec802be3fff8e3e2a1b0eecff69_cryptolocker.exe 84 PID 3952 wrote to memory of 4912 3952 2024-05-11_22f84ec802be3fff8e3e2a1b0eecff69_cryptolocker.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-11_22f84ec802be3fff8e3e2a1b0eecff69_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-11_22f84ec802be3fff8e3e2a1b0eecff69_cryptolocker.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3952 -
C:\Users\Admin\AppData\Local\Temp\lossy.exe"C:\Users\Admin\AppData\Local\Temp\lossy.exe"2⤵
- Executes dropped EXE
PID:4912
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
54KB
MD5f8b90422be5b06efe89f44fd1917ad66
SHA1b1d2b3d3915cb2a990771fa70319d2e32b1d9bc5
SHA2567fbaeccae7a95eb3254a7f7eb884e9aa903d58f30be9926b79bbad08b7bb3baf
SHA512c8f294dff789d934b9304cd16de1fe049293e6510a19339b7b6b501d9350722cab3b0d8839a14f0110d22e81d4cef6abcea43916b6279136399a682fa1669c74