Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
24/08/2024, 07:24
Static task
static1
Behavioral task
behavioral1
Sample
2024-08-24_ee58813ca9c801daa9bcd6012a896ee5_cryptolocker.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
2024-08-24_ee58813ca9c801daa9bcd6012a896ee5_cryptolocker.exe
Resource
win10v2004-20240802-en
General
-
Target
2024-08-24_ee58813ca9c801daa9bcd6012a896ee5_cryptolocker.exe
-
Size
46KB
-
MD5
ee58813ca9c801daa9bcd6012a896ee5
-
SHA1
226af3224e36f03c0955c922a51c771098701072
-
SHA256
ddd4a964e4425ded0eabdd9d802a24dbc12ae267a98fcf4c239dbd2da29aa41f
-
SHA512
456c7b120936a1732cee6ba16c3bca0535bb3940d140cb681f6323b7eda7d85d386abc2f62bd072f07578eb5e4449fa2673a607bd2cacfbee9296e8578ff730a
-
SSDEEP
384:bm74uGLLQRcsdeQ72ngEr4K7YmE8jb0nrlwfjDUknqs+/:bm74zYcgT/EkM0ryfjdnqsM
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation 2024-08-24_ee58813ca9c801daa9bcd6012a896ee5_cryptolocker.exe -
Executes dropped EXE 1 IoCs
pid Process 2580 hasfj.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-08-24_ee58813ca9c801daa9bcd6012a896ee5_cryptolocker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hasfj.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2208 wrote to memory of 2580 2208 2024-08-24_ee58813ca9c801daa9bcd6012a896ee5_cryptolocker.exe 84 PID 2208 wrote to memory of 2580 2208 2024-08-24_ee58813ca9c801daa9bcd6012a896ee5_cryptolocker.exe 84 PID 2208 wrote to memory of 2580 2208 2024-08-24_ee58813ca9c801daa9bcd6012a896ee5_cryptolocker.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-08-24_ee58813ca9c801daa9bcd6012a896ee5_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-08-24_ee58813ca9c801daa9bcd6012a896ee5_cryptolocker.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Users\Admin\AppData\Local\Temp\hasfj.exe"C:\Users\Admin\AppData\Local\Temp\hasfj.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2580
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
47KB
MD5f663bdd6937ac11cd294c3d7a8afec77
SHA1c037bcb156a7045cc961e6dde0bc6ec7d96b81cc
SHA256f21b2c36ad42208d5ab8f08a51abf899ed543dca97c3557440da6aa9bcf22897
SHA512f371e4a9f5072800f90570cc4ebee1f63fc195009b8cb065bf799e5e8b306ddfd703a65ad3565864ab29242f27e54598e4dfad3c3950a11e86fb1c1ef76b1660