Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
131s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
01/10/2024, 03:32
Static task
static1
Behavioral task
behavioral1
Sample
2024-10-01_1e31c4353ad62462065b2c9824d39b05_cryptolocker.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024-10-01_1e31c4353ad62462065b2c9824d39b05_cryptolocker.exe
Resource
win10v2004-20240802-en
General
-
Target
2024-10-01_1e31c4353ad62462065b2c9824d39b05_cryptolocker.exe
-
Size
70KB
-
MD5
1e31c4353ad62462065b2c9824d39b05
-
SHA1
a1e5fe2967901554dfc3a28697298b19f1eb194c
-
SHA256
644f061fb48692a394ff97fc6fd30296c96e4286cdd19b05d23e1e733231cae1
-
SHA512
d4da578776ca7824b4f15c51941613f8fb229b298106fe821ee4bb1ea32e865191aa17ca0e0f6a31b24eaafc1c76a630fa802da7d51a88c158ce779fe77a8413
-
SSDEEP
1536:o1KhxqwtdgI2MyzNORQtOflIwoHNV2XBFV72BOlA7ZszudnYTjipvF293vaRLEQ:aq7tdgI2MyzNORQtOflIwoHNV2XBFV7I
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation 2024-10-01_1e31c4353ad62462065b2c9824d39b05_cryptolocker.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation hurok.exe -
Executes dropped EXE 1 IoCs
pid Process 1536 hurok.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-01_1e31c4353ad62462065b2c9824d39b05_cryptolocker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hurok.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3004 wrote to memory of 1536 3004 2024-10-01_1e31c4353ad62462065b2c9824d39b05_cryptolocker.exe 89 PID 3004 wrote to memory of 1536 3004 2024-10-01_1e31c4353ad62462065b2c9824d39b05_cryptolocker.exe 89 PID 3004 wrote to memory of 1536 3004 2024-10-01_1e31c4353ad62462065b2c9824d39b05_cryptolocker.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-01_1e31c4353ad62462065b2c9824d39b05_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-01_1e31c4353ad62462065b2c9824d39b05_cryptolocker.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Users\Admin\AppData\Local\Temp\hurok.exe"C:\Users\Admin\AppData\Local\Temp\hurok.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1536
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4356,i,16316361669272684588,6171287487746154806,262144 --variations-seed-version --mojo-platform-channel-handle=4328 /prefetch:81⤵PID:3184
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD5b925daf34958e6550b372f876f845dea
SHA120e1302845402798e7e80744d14c7e7c23111a7a
SHA256ef005d0cc1196fccdcf24cd5d0ff08b968e01159fa1bb33e4e27e1f5d8ca0ed1
SHA5128e37beba4a4a17e5cc1cdb07de991b807207ff57666a0e5e558d1e419f32b5d46f3a22a27c7171dbbb1ebf09a8c9a5c1e8e5fa9c0c9f50c7f1f0654fac6f420b