Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
25/05/2024, 04:02
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-25_a0ea666dffbe34a24ac302a234d94fca_cryptolocker.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
2024-05-25_a0ea666dffbe34a24ac302a234d94fca_cryptolocker.exe
Resource
win10v2004-20240508-en
General
-
Target
2024-05-25_a0ea666dffbe34a24ac302a234d94fca_cryptolocker.exe
-
Size
35KB
-
MD5
a0ea666dffbe34a24ac302a234d94fca
-
SHA1
adb678e89e5349224ac2f89b5e60636ff555c966
-
SHA256
54cd04bb370bb8f2aa0281e1f4efa885773dde34a761df03496e815b8e2993da
-
SHA512
43aee9a4edba3caca5d31cce7cb12c035b1c0a076d6c5f5377bfa15171943ab05337bf777c37c0568be2dbaca86d9853cf09f2186cb76dd2f06cbc73a63e7a80
-
SSDEEP
384:bAvMaNGh4z7CG3POOvbRSLoF/F0QU5XYFnufc/zzo6ckJp0qAgmEzXKxA+T9riu:bAvJCYOOvbRPDEgXRc+BAILiJiu
Malware Config
Signatures
-
Detection of CryptoLocker Variants 1 IoCs
resource yara_rule behavioral2/files/0x000a00000002341b-12.dat CryptoLocker_rule2 -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation demka.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation 2024-05-25_a0ea666dffbe34a24ac302a234d94fca_cryptolocker.exe -
Executes dropped EXE 1 IoCs
pid Process 1832 demka.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1552 wrote to memory of 1832 1552 2024-05-25_a0ea666dffbe34a24ac302a234d94fca_cryptolocker.exe 83 PID 1552 wrote to memory of 1832 1552 2024-05-25_a0ea666dffbe34a24ac302a234d94fca_cryptolocker.exe 83 PID 1552 wrote to memory of 1832 1552 2024-05-25_a0ea666dffbe34a24ac302a234d94fca_cryptolocker.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-25_a0ea666dffbe34a24ac302a234d94fca_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-25_a0ea666dffbe34a24ac302a234d94fca_cryptolocker.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Users\Admin\AppData\Local\Temp\demka.exe"C:\Users\Admin\AppData\Local\Temp\demka.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
PID:1832
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
35KB
MD5f6150dbf80361fb67d2a592393d3c5c6
SHA19e25b9948112813b8071d76b9ab6049af05ac658
SHA2566e3c151fda886998c6a7b807744fff71613b38620720820c8f300a4c8709676f
SHA5121dd71e9a39d56235e0470b50e9aaefb0451f6cd40d16779c17b3ebb33a9dc4c46aadec982ef12436c0e88ed216a2917e33966d51ef434e2f0b8f6ba3e5aeaf7e
-
Filesize
186B
MD5ceb032d0d01966cd04d403b95e64e6e8
SHA15873bb8a34a16cf4bcef2f68e6aba2e08fbe5851
SHA2566072a04f8389d903943e4b71062e527cb36660d9e42ec9152153419cfee3cde8
SHA5127453ad3953e5e331c30cc6160400995891f3121f76eedacaeee8bfd3b06582d2bb737e775e823453b78065b4e0919d57407d5b63975e369c2cf31217e50285b3