Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
29/08/2024, 07:47
Static task
static1
Behavioral task
behavioral1
Sample
2024-08-29_12ea6a4177c3f26fc0475f30d2e88a71_cryptolocker.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
2024-08-29_12ea6a4177c3f26fc0475f30d2e88a71_cryptolocker.exe
Resource
win10v2004-20240802-en
General
-
Target
2024-08-29_12ea6a4177c3f26fc0475f30d2e88a71_cryptolocker.exe
-
Size
42KB
-
MD5
12ea6a4177c3f26fc0475f30d2e88a71
-
SHA1
b4fec9c66c66b19edeaf1619f9dd2ceb40ee3f46
-
SHA256
2c8999903e7859982d81a9f2ebae28179628a6ae1e5833feacabadfe3747893e
-
SHA512
b8d26888ad97366e1d8ef5ab710d743da47d7b76761c28fb26021eea0f21f1517fa36d4d5342f5fe5166bf16a252c2c7a8997942f6536555ed3ade090fbc0490
-
SSDEEP
768:bA74zYcgT/Ekd0ryfjPIunqpeNswmT3HwnCJ:bA6YcA/X6G0W143QC
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation 2024-08-29_12ea6a4177c3f26fc0475f30d2e88a71_cryptolocker.exe -
Executes dropped EXE 1 IoCs
pid Process 4716 hasfj.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-08-29_12ea6a4177c3f26fc0475f30d2e88a71_cryptolocker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hasfj.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4772 wrote to memory of 4716 4772 2024-08-29_12ea6a4177c3f26fc0475f30d2e88a71_cryptolocker.exe 86 PID 4772 wrote to memory of 4716 4772 2024-08-29_12ea6a4177c3f26fc0475f30d2e88a71_cryptolocker.exe 86 PID 4772 wrote to memory of 4716 4772 2024-08-29_12ea6a4177c3f26fc0475f30d2e88a71_cryptolocker.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-08-29_12ea6a4177c3f26fc0475f30d2e88a71_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-08-29_12ea6a4177c3f26fc0475f30d2e88a71_cryptolocker.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4772 -
C:\Users\Admin\AppData\Local\Temp\hasfj.exe"C:\Users\Admin\AppData\Local\Temp\hasfj.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4716
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
42KB
MD5e1d0a5ed8217e244003904fdc49ddfc1
SHA178aaf5fdfe03fd3a00b4ce88d041c1148fab073b
SHA2567533b787d973fe18096c8164484c03a11287cb9d00f8aacbeafaee19ad6652b1
SHA51290fc3f076c615bca9c36dd239bdb22fd4e5ac8e5e0cf4797b3cfbe7d00184e91d2461fb11b601ad8552ca8802724dae87762923ea6f8aefc7ffef16135bd67f5