Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    131s
  • max time network
    134s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/10/2024, 03:32

General

  • Target

    2024-10-01_1e31c4353ad62462065b2c9824d39b05_cryptolocker.exe

  • Size

    70KB

  • MD5

    1e31c4353ad62462065b2c9824d39b05

  • SHA1

    a1e5fe2967901554dfc3a28697298b19f1eb194c

  • SHA256

    644f061fb48692a394ff97fc6fd30296c96e4286cdd19b05d23e1e733231cae1

  • SHA512

    d4da578776ca7824b4f15c51941613f8fb229b298106fe821ee4bb1ea32e865191aa17ca0e0f6a31b24eaafc1c76a630fa802da7d51a88c158ce779fe77a8413

  • SSDEEP

    1536:o1KhxqwtdgI2MyzNORQtOflIwoHNV2XBFV72BOlA7ZszudnYTjipvF293vaRLEQ:aq7tdgI2MyzNORQtOflIwoHNV2XBFV7I

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-01_1e31c4353ad62462065b2c9824d39b05_cryptolocker.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-01_1e31c4353ad62462065b2c9824d39b05_cryptolocker.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3004
    • C:\Users\Admin\AppData\Local\Temp\hurok.exe
      "C:\Users\Admin\AppData\Local\Temp\hurok.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1536
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4356,i,16316361669272684588,6171287487746154806,262144 --variations-seed-version --mojo-platform-channel-handle=4328 /prefetch:8
    1⤵
      PID:3184

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\hurok.exe

      Filesize

      70KB

      MD5

      b925daf34958e6550b372f876f845dea

      SHA1

      20e1302845402798e7e80744d14c7e7c23111a7a

      SHA256

      ef005d0cc1196fccdcf24cd5d0ff08b968e01159fa1bb33e4e27e1f5d8ca0ed1

      SHA512

      8e37beba4a4a17e5cc1cdb07de991b807207ff57666a0e5e558d1e419f32b5d46f3a22a27c7171dbbb1ebf09a8c9a5c1e8e5fa9c0c9f50c7f1f0654fac6f420b

    • memory/1536-19-0x0000000000720000-0x0000000000726000-memory.dmp

      Filesize

      24KB

    • memory/3004-0-0x0000000002130000-0x0000000002136000-memory.dmp

      Filesize

      24KB

    • memory/3004-1-0x0000000002130000-0x0000000002136000-memory.dmp

      Filesize

      24KB

    • memory/3004-2-0x0000000000400000-0x0000000000406000-memory.dmp

      Filesize

      24KB