Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
07/08/2024, 03:21
Behavioral task
behavioral1
Sample
2024-08-07_287c48d0448a967cdaf0c4edeb780803_cryptolocker.exe
Resource
win7-20240708-en
General
-
Target
2024-08-07_287c48d0448a967cdaf0c4edeb780803_cryptolocker.exe
-
Size
38KB
-
MD5
287c48d0448a967cdaf0c4edeb780803
-
SHA1
20c25c5f831d14ef9097545879a05098ebf24850
-
SHA256
d1f1ccdc3bbd845f7dd7ed7eba189849081d37092f905a03521d3bf850b655ae
-
SHA512
e055ea0fccfb453ada051b53ca50c84c7af39abc553be737d38df1640cde0e44d6085cf7691bcf3dec17862f5504a04ec3d7711712ef6df3231351f937421807
-
SSDEEP
768:q7PdFecFS5agQtOOtEvwDpjeMLZdzuqpXsiE8Wq/DpkITH:qDdFJy3QMOtEvwDpjjWMl7TH
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation 2024-08-07_287c48d0448a967cdaf0c4edeb780803_cryptolocker.exe -
Executes dropped EXE 1 IoCs
pid Process 4720 asih.exe -
resource yara_rule behavioral2/memory/4064-0-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral2/files/0x00090000000233e5-13.dat upx behavioral2/memory/4720-19-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral2/memory/4064-18-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral2/memory/4720-28-0x0000000000500000-0x0000000000510000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-08-07_287c48d0448a967cdaf0c4edeb780803_cryptolocker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language asih.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4064 wrote to memory of 4720 4064 2024-08-07_287c48d0448a967cdaf0c4edeb780803_cryptolocker.exe 86 PID 4064 wrote to memory of 4720 4064 2024-08-07_287c48d0448a967cdaf0c4edeb780803_cryptolocker.exe 86 PID 4064 wrote to memory of 4720 4064 2024-08-07_287c48d0448a967cdaf0c4edeb780803_cryptolocker.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-08-07_287c48d0448a967cdaf0c4edeb780803_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-08-07_287c48d0448a967cdaf0c4edeb780803_cryptolocker.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4064 -
C:\Users\Admin\AppData\Local\Temp\asih.exe"C:\Users\Admin\AppData\Local\Temp\asih.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4720
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
38KB
MD5469b31f8ebfb1326efe1acf76f665948
SHA16c27ed78721fc2992532e782eb930609db49aeec
SHA25648561ac36b577673a0f8cc1bfabdc92aa893f776ae60d70d32a607cc0cc5041f
SHA512e771cb16c51c779a4ea9c2ff9855ab1744f5a97b6d1855c565f1aa31cf02ee4128c98910f09c152bb6a07e1be0d516c659c92da3c5fdaa2413826cf3ba636a58