Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
15/06/2024, 18:29
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-15_1dcaa0044fa6100c66e5d77c8eb74e96_cryptolocker.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
2024-06-15_1dcaa0044fa6100c66e5d77c8eb74e96_cryptolocker.exe
Resource
win10v2004-20240508-en
General
-
Target
2024-06-15_1dcaa0044fa6100c66e5d77c8eb74e96_cryptolocker.exe
-
Size
47KB
-
MD5
1dcaa0044fa6100c66e5d77c8eb74e96
-
SHA1
859653f07d15c6342c734a0d4af9e5cf3811203d
-
SHA256
b1ebcffa6843b81df89eefb069949f37009d1ab8bc7cfc651523eee2791de9ac
-
SHA512
4c1fb1e5e9f0e02558f17dcfe7f455a334bd0368cf2c59e80bc36d69c829e835388c8077b18095792e160dfffa0a9795321d4e8cc17f851596fc2e33b0e6b742
-
SSDEEP
384:e/4wODQkzonAYsju5N/surDQtOOtEvwDpjqIGROqS/WccJVJwi2B5oCCM8CLW2Vl:79inqyNR/QtOOtEvwDpjBKccJVODvy3U
Malware Config
Signatures
-
Detection of CryptoLocker Variants 4 IoCs
resource yara_rule behavioral2/memory/3168-0-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_rule2 behavioral2/files/0x0006000000023278-13.dat CryptoLocker_rule2 behavioral2/memory/1664-17-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_rule2 behavioral2/memory/3168-18-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_rule2 -
Detection of Cryptolocker Samples 4 IoCs
resource yara_rule behavioral2/memory/3168-0-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_set1 behavioral2/files/0x0006000000023278-13.dat CryptoLocker_set1 behavioral2/memory/1664-17-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_set1 behavioral2/memory/3168-18-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_set1 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation 2024-06-15_1dcaa0044fa6100c66e5d77c8eb74e96_cryptolocker.exe -
Executes dropped EXE 1 IoCs
pid Process 1664 asih.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3168 wrote to memory of 1664 3168 2024-06-15_1dcaa0044fa6100c66e5d77c8eb74e96_cryptolocker.exe 82 PID 3168 wrote to memory of 1664 3168 2024-06-15_1dcaa0044fa6100c66e5d77c8eb74e96_cryptolocker.exe 82 PID 3168 wrote to memory of 1664 3168 2024-06-15_1dcaa0044fa6100c66e5d77c8eb74e96_cryptolocker.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-15_1dcaa0044fa6100c66e5d77c8eb74e96_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-15_1dcaa0044fa6100c66e5d77c8eb74e96_cryptolocker.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3168 -
C:\Users\Admin\AppData\Local\Temp\asih.exe"C:\Users\Admin\AppData\Local\Temp\asih.exe"2⤵
- Executes dropped EXE
PID:1664
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
47KB
MD511d61962772c699e50222e9058acbf28
SHA1634974e60ca3886cb0c1c85ba229233b3198e63e
SHA2561bcb1453ddf2e47f58fed710985e5531b94e47624d10630ecc1b57371a7dab07
SHA512ce9e4184e6c721887c0ff24e47dc8f2745f00cef5f9e1f546caa725eff8b12e187c670eb63c69113d2ca615dd9c9ee8844d63c5e5d9492ed6d530c1f07ccabc5