Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

2024-07-27...er.exe

windows7-x64

7

2024-07-27...er.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    129s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/07/2024, 19:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-07-27_bc2cc961dfeb019121402283457e6808_cryptolocker.exe

  • Size

    393KB

  • MD5

    bc2cc961dfeb019121402283457e6808

  • SHA1

    33352a93a1a569c38e3d15c9951c44c8b337a1c6

  • SHA256

    022df0d434b54d03263545a48dd05b073af8616ff35ebd2703596a0f90e7231b

  • SHA512

    80215cc6f73f209d8ca48c085770ad6a0fe6179029c7140b42bd2e9b19ac7cfbd2679b1226e613e4b8603d82cf5182d2bfb1cd3c0b57a39ecfe2abe32c3f665d

  • SSDEEP

    6144:nnOsaQgAOjvrZFODJjBz3j1jTqQy6v2GGnugOtihzXRf:nnOflT/ZFIjBz3xjTxynGUOUhXRf

Score
7/10
discovery

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-07-27_bc2cc961dfeb019121402283457e6808_cryptolocker.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-07-27_bc2cc961dfeb019121402283457e6808_cryptolocker.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3516
    • C:\Users\Admin\AppData\Local\Temp\hasfj.exe
      "C:\Users\Admin\AppData\Local\Temp\hasfj.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1824

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\hasfj.exe
    Filesize

    393KB

    MD5

    ccb15df17ae3aafbb95581c6fab01421

    SHA1

    c1ed8d79666b44f3f57babe51fff324ad079ba66

    SHA256

    22604e4bef9469276cd261bd0a545ce4bf82f4f22f195e9eb45140fab21b7681

    SHA512

    3ebfe379b5beb3089db0a54177403db390e5b443942501a62d06b7bd0b72efb9e909008d1e6f4eb6d474c526a1f50257a0a857445bd9a53627a50dedda703dd4

    Download Submit

  • memory/1824-17-0x0000000003010000-0x0000000003016000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1824-23-0x0000000002010000-0x0000000002016000-memory.dmp

    Filesize

    24KB

    Download

  • memory/3516-0-0x0000000002EA0000-0x0000000002EA6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/3516-1-0x0000000002EA0000-0x0000000002EA6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/3516-2-0x0000000003150000-0x0000000003156000-memory.dmp

    Filesize

    24KB

    Download