Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
05/09/2024, 10:59
Static task
static1
Behavioral task
behavioral1
Sample
2024-09-05_fec69b34e0b9446bcdf7c410e0c530e9_cryptolocker.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024-09-05_fec69b34e0b9446bcdf7c410e0c530e9_cryptolocker.exe
Resource
win10v2004-20240802-en
General
-
Target
2024-09-05_fec69b34e0b9446bcdf7c410e0c530e9_cryptolocker.exe
-
Size
45KB
-
MD5
fec69b34e0b9446bcdf7c410e0c530e9
-
SHA1
da012704640348f59eae5bfb62136d37eaa31026
-
SHA256
a510db28e2eb927a6a640f697270d2caf3533fcf85c994114ec2a1e2bb4fe91c
-
SHA512
c8e4db7d26fd2e5a7705db8ba369f84d2c30b60f33dfbadf90e8d20e9ef4a726d299e27de87ef13d51b90d858eb5b4a69cda7a7a02c4b7bb09b957f970694f01
-
SSDEEP
384:bm74uGLLQRcsdeQ72ngEr4K7YmE8jb0nrlwfjDUk3b+Nd:bm74zYcgT/EkM0ryfjd3Wd
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation 2024-09-05_fec69b34e0b9446bcdf7c410e0c530e9_cryptolocker.exe -
Executes dropped EXE 1 IoCs
pid Process 4772 hasfj.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-09-05_fec69b34e0b9446bcdf7c410e0c530e9_cryptolocker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hasfj.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4588 wrote to memory of 4772 4588 2024-09-05_fec69b34e0b9446bcdf7c410e0c530e9_cryptolocker.exe 86 PID 4588 wrote to memory of 4772 4588 2024-09-05_fec69b34e0b9446bcdf7c410e0c530e9_cryptolocker.exe 86 PID 4588 wrote to memory of 4772 4588 2024-09-05_fec69b34e0b9446bcdf7c410e0c530e9_cryptolocker.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-09-05_fec69b34e0b9446bcdf7c410e0c530e9_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-09-05_fec69b34e0b9446bcdf7c410e0c530e9_cryptolocker.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Users\Admin\AppData\Local\Temp\hasfj.exe"C:\Users\Admin\AppData\Local\Temp\hasfj.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4772
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
45KB
MD5f24dbaa255ac81a5dda944f41bf1a823
SHA18a1317d9031611ea564efb2cab5ad551b4aea9a3
SHA256febde292f3a212d044e5b791381e8a90e130f1db6a2d58da2d17b68b6160210a
SHA51275a3b71da95e607cebbf54d951138b982d37ea1ac3dcca9dfd1567b0fe762ccce35f6916ec4e9f5522d6686988ea97755088a0dba43962d565ef61d7a5661a9e