Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
14/06/2024, 19:28
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-14_5010bfc7295d5d7a823b1b27bef4f8af_cryptolocker.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-06-14_5010bfc7295d5d7a823b1b27bef4f8af_cryptolocker.exe
Resource
win10v2004-20240508-en
General
-
Target
2024-06-14_5010bfc7295d5d7a823b1b27bef4f8af_cryptolocker.exe
-
Size
47KB
-
MD5
5010bfc7295d5d7a823b1b27bef4f8af
-
SHA1
6ed6e1f64571ce6c4e2422b5bf44cd9d4d47cbbb
-
SHA256
ec3d7e17790542be338910902310989e0c00f24c40c1cf6107cbf065a38b1ffe
-
SHA512
b0a33eeb235285f3adb26cb3c5d5688304af0cc5fe2c72c9aefca60f881a85591d063852a1400b1f0754853bcd3326263379d66e15623d00f791094710a7da89
-
SSDEEP
768:79inqyNR/QtOOtEvwDpjBKccJVODvy3ULn:79mqyNhQMOtEvwDpjBzckqUL
Malware Config
Signatures
-
Detection of CryptoLocker Variants 4 IoCs
resource yara_rule behavioral2/memory/4568-0-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_rule2 behavioral2/files/0x00090000000226e8-13.dat CryptoLocker_rule2 behavioral2/memory/4568-17-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_rule2 behavioral2/memory/4924-18-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_rule2 -
Detection of Cryptolocker Samples 4 IoCs
resource yara_rule behavioral2/memory/4568-0-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_set1 behavioral2/files/0x00090000000226e8-13.dat CryptoLocker_set1 behavioral2/memory/4568-17-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_set1 behavioral2/memory/4924-18-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_set1 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation 2024-06-14_5010bfc7295d5d7a823b1b27bef4f8af_cryptolocker.exe -
Executes dropped EXE 1 IoCs
pid Process 4924 asih.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4568 wrote to memory of 4924 4568 2024-06-14_5010bfc7295d5d7a823b1b27bef4f8af_cryptolocker.exe 84 PID 4568 wrote to memory of 4924 4568 2024-06-14_5010bfc7295d5d7a823b1b27bef4f8af_cryptolocker.exe 84 PID 4568 wrote to memory of 4924 4568 2024-06-14_5010bfc7295d5d7a823b1b27bef4f8af_cryptolocker.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_5010bfc7295d5d7a823b1b27bef4f8af_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-14_5010bfc7295d5d7a823b1b27bef4f8af_cryptolocker.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Users\Admin\AppData\Local\Temp\asih.exe"C:\Users\Admin\AppData\Local\Temp\asih.exe"2⤵
- Executes dropped EXE
PID:4924
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
47KB
MD5e3bc11fd4fb6daa545ecafcc12141f10
SHA1d83eab5e65d837125e8e922347eb483bef78ee11
SHA256217727249f5ec0ce572168d6bc1422af29d7ca0a5cab9d3a6571043eab1635cb
SHA512bb0b48288ebbfad975c4689f2593d3e4bdcb897cb29b6ac38ecf7a8026b1e75f799e1667a1df039f147efc2a158cb405162246a2189db18737fc73ee22099364