Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/08/2024, 07:47

General

  • Target

    2024-08-29_12ea6a4177c3f26fc0475f30d2e88a71_cryptolocker.exe

  • Size

    42KB

  • MD5

    12ea6a4177c3f26fc0475f30d2e88a71

  • SHA1

    b4fec9c66c66b19edeaf1619f9dd2ceb40ee3f46

  • SHA256

    2c8999903e7859982d81a9f2ebae28179628a6ae1e5833feacabadfe3747893e

  • SHA512

    b8d26888ad97366e1d8ef5ab710d743da47d7b76761c28fb26021eea0f21f1517fa36d4d5342f5fe5166bf16a252c2c7a8997942f6536555ed3ade090fbc0490

  • SSDEEP

    768:bA74zYcgT/Ekd0ryfjPIunqpeNswmT3HwnCJ:bA6YcA/X6G0W143QC

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-08-29_12ea6a4177c3f26fc0475f30d2e88a71_cryptolocker.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-08-29_12ea6a4177c3f26fc0475f30d2e88a71_cryptolocker.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4772
    • C:\Users\Admin\AppData\Local\Temp\hasfj.exe
      "C:\Users\Admin\AppData\Local\Temp\hasfj.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:4716

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\hasfj.exe

    Filesize

    42KB

    MD5

    e1d0a5ed8217e244003904fdc49ddfc1

    SHA1

    78aaf5fdfe03fd3a00b4ce88d041c1148fab073b

    SHA256

    7533b787d973fe18096c8164484c03a11287cb9d00f8aacbeafaee19ad6652b1

    SHA512

    90fc3f076c615bca9c36dd239bdb22fd4e5ac8e5e0cf4797b3cfbe7d00184e91d2461fb11b601ad8552ca8802724dae87762923ea6f8aefc7ffef16135bd67f5

  • memory/4716-17-0x0000000003010000-0x0000000003016000-memory.dmp

    Filesize

    24KB

  • memory/4716-23-0x00000000020A0000-0x00000000020A6000-memory.dmp

    Filesize

    24KB

  • memory/4772-0-0x0000000002EA0000-0x0000000002EA6000-memory.dmp

    Filesize

    24KB

  • memory/4772-1-0x0000000002EA0000-0x0000000002EA6000-memory.dmp

    Filesize

    24KB

  • memory/4772-2-0x0000000003150000-0x0000000003156000-memory.dmp

    Filesize

    24KB