Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
0s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
10/06/2024, 02:25 UTC
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-10_ffb5e536307cf11067f864e3833217db_cryptolocker.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
2024-06-10_ffb5e536307cf11067f864e3833217db_cryptolocker.exe
Resource
win10v2004-20240508-en
General
-
Target
2024-06-10_ffb5e536307cf11067f864e3833217db_cryptolocker.exe
-
Size
49KB
-
MD5
ffb5e536307cf11067f864e3833217db
-
SHA1
9bbe338b2297d33cba61a7053ff5800e31d2f2c7
-
SHA256
1438c035b7bd29cf71ae2eb3728474d47224d4baf18bc0c36e66653947860abd
-
SHA512
17bd4cf5c201b33155702bd839effefa8958c5381af8b2a535aa2650af522afe9ae9d4e7f82c6d9a0e6d7307dfd1733290cd47e75caece1d96f817d98ea8c7e6
-
SSDEEP
768:xQz7yVEhs9+4uR1bytOOtEvwDpjWE6BLbjG9RzhwaRhAEFo:xj+VGMOtEvwDpjy+TRhxu
Malware Config
Signatures
-
Detection of CryptoLocker Variants 4 IoCs
resource yara_rule behavioral2/memory/4404-0-0x0000000000500000-0x0000000000510000-memory.dmp CryptoLocker_rule2 behavioral2/memory/4404-17-0x0000000000500000-0x0000000000510000-memory.dmp CryptoLocker_rule2 behavioral2/files/0x0008000000022f51-16.dat CryptoLocker_rule2 behavioral2/memory/912-48-0x0000000000500000-0x0000000000510000-memory.dmp CryptoLocker_rule2 -
Detection of Cryptolocker Samples 4 IoCs
resource yara_rule behavioral2/memory/4404-0-0x0000000000500000-0x0000000000510000-memory.dmp CryptoLocker_set1 behavioral2/memory/4404-17-0x0000000000500000-0x0000000000510000-memory.dmp CryptoLocker_set1 behavioral2/files/0x0008000000022f51-16.dat CryptoLocker_set1 behavioral2/memory/912-48-0x0000000000500000-0x0000000000510000-memory.dmp CryptoLocker_set1 -
Detects executables built or packed with MPress PE compressor 4 IoCs
resource yara_rule behavioral2/memory/4404-0-0x0000000000500000-0x0000000000510000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/4404-17-0x0000000000500000-0x0000000000510000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/files/0x0008000000022f51-16.dat INDICATOR_EXE_Packed_MPress behavioral2/memory/912-48-0x0000000000500000-0x0000000000510000-memory.dmp INDICATOR_EXE_Packed_MPress -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 2024-06-10_ffb5e536307cf11067f864e3833217db_cryptolocker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-10_ffb5e536307cf11067f864e3833217db_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-10_ffb5e536307cf11067f864e3833217db_cryptolocker.exe"1⤵
- Checks computer location settings
PID:4404 -
C:\Users\Admin\AppData\Local\Temp\misid.exe"C:\Users\Admin\AppData\Local\Temp\misid.exe"2⤵PID:912
-
Network
-
Remote address:8.8.8.8:53Request209.205.72.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestbestccc.comIN AResponsebestccc.comIN A103.91.187.97
-
Remote address:8.8.8.8:53Request203.107.17.2.in-addr.arpaIN PTRResponse203.107.17.2.in-addr.arpaIN PTRa2-17-107-203deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Requestcrl.comodoca.comIN AResponsecrl.comodoca.comIN CNAMEcrl.comodoca.com.cdn.cloudflare.netcrl.comodoca.com.cdn.cloudflare.netIN A172.64.149.23crl.comodoca.com.cdn.cloudflare.netIN A104.18.38.233
-
Remote address:172.64.149.23:80RequestGET /cPanelIncCertificationAuthority.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: crl.comodoca.com
ResponseHTTP/1.1 200 OK
Content-Type: application/pkix-crl
Content-Length: 65440
Connection: keep-alive
Last-Modified: Sun, 09 Jun 2024 05:27:42 GMT
Expires: Sun, 16 Jun 2024 05:27:42 GMT
Etag: "28ed2d44100a567a83419eb650a92b663924e28b"
Cache-Control: max-age=602265,s-maxage=3600,public,no-transform,must-revalidate
X-CCACDN-Proxy-ID: mcdpinlb4
X-Frame-Options: SAMEORIGIN
CF-Cache-Status: HIT
Age: 655
Accept-Ranges: bytes
Server: cloudflare
CF-RAY: 8915f61f2b6a76f5-LHR
-
Remote address:8.8.8.8:53Request136.32.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request23.149.64.172.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request97.187.91.103.in-addr.arpaIN PTRResponse97.187.91.103.in-addr.arpaIN PTR1039118797-static-reversegdrnetin
-
Remote address:8.8.8.8:53Request157.123.68.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request206.23.85.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request31.121.18.2.in-addr.arpaIN PTRResponse31.121.18.2.in-addr.arpaIN PTRa2-18-121-31deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request144.107.17.2.in-addr.arpaIN PTRResponse144.107.17.2.in-addr.arpaIN PTRa2-17-107-144deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request21.236.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request14.179.89.13.in-addr.arpaIN PTRResponse
-
1.0kB 5.7kB 13 9
-
1.5kB 68.0kB 29 51
HTTP Request
GET http://crl.comodoca.com/cPanelIncCertificationAuthority.crlHTTP Response
200 -
46 B 1
-
72 B 158 B 1 1
DNS Request
209.205.72.20.in-addr.arpa
-
57 B 73 B 1 1
DNS Request
bestccc.com
DNS Response
103.91.187.97
-
71 B 135 B 1 1
DNS Request
203.107.17.2.in-addr.arpa
-
62 B 143 B 1 1
DNS Request
crl.comodoca.com
DNS Response
172.64.149.23104.18.38.233
-
72 B 158 B 1 1
DNS Request
136.32.126.40.in-addr.arpa
-
72 B 134 B 1 1
DNS Request
23.149.64.172.in-addr.arpa
-
72 B 125 B 1 1
DNS Request
97.187.91.103.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
157.123.68.40.in-addr.arpa
-
71 B 145 B 1 1
DNS Request
206.23.85.13.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
31.121.18.2.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
144.107.17.2.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
21.236.111.52.in-addr.arpa
-
71 B 145 B 1 1
DNS Request
14.179.89.13.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
49KB
MD5b36259ad63ebb94ef8f6480cff491452
SHA1810e4c51aeb8284efb08b3d12f0a229bf8ec97e0
SHA256e1832ac2af83851f70e2563f9fd6479aec601c81e6173ff8ef7da0a62b652a1d
SHA5129fe6fa35b3b48c21fe1fe6206d9ad84e7dd5fd88374d74428d8868bf2110643c87b55da588d147917e7f0562752d826e336a66c400628507f30e2d0f5d66ef90
-
Filesize
315B
MD5a34ac19f4afae63adc5d2f7bc970c07f
SHA1a82190fc530c265aa40a045c21770d967f4767b8
SHA256d5a89e26beae0bc03ad18a0b0d1d3d75f87c32047879d25da11970cb5c4662a3
SHA51242e53d96e5961e95b7a984d9c9778a1d3bd8ee0c87b8b3b515fa31f67c2d073c8565afc2f4b962c43668c4efa1e478da9bb0ecffa79479c7e880731bc4c55765