Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

2024-10-03...er.exe

windows7-x64

7

2024-10-03...er.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/10/2024, 04:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-10-03_62ff899c8f03a6a31fce619fe3f8d3a2_cryptolocker.exe

  • Size

    40KB

  • MD5

    62ff899c8f03a6a31fce619fe3f8d3a2

  • SHA1

    ae6ad7edf3a1b72662d5f9367bdbede8b3ff36e8

  • SHA256

    f351168457a3826625392978a2009cf84921aa5e84fe03c1ccde2d02a0dddb05

  • SHA512

    eec1d4e26931e22cf85591d0c4e1b0177e56c51f6173830af244979ed8f66d8b477b2483f9b8024c21d1bbe0ee3edff4af2084f2fdf71e62362bb8e6a8e15f2c

  • SSDEEP

    384:bgX4uGLLQRcsdeQ7/nQu63Ag7YmecFanrlwfjDUkKDfWf6XT+0vJsg5b5U3O2PrO:bgX4zYcgTEu6QOaryfjqDlC6JFbK37Yn

Score
7/10
discovery

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-03_62ff899c8f03a6a31fce619fe3f8d3a2_cryptolocker.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-03_62ff899c8f03a6a31fce619fe3f8d3a2_cryptolocker.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3820
    • C:\Users\Admin\AppData\Local\Temp\hasfj.exe
      "C:\Users\Admin\AppData\Local\Temp\hasfj.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2304

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\hasfj.exe
    Filesize

    41KB

    MD5

    aaf1dd8925fee75b6746f64192d745fd

    SHA1

    7abcd0aab6d2fd7ecc864059c6e8042759ed55a2

    SHA256

    3f29038304bad0fcbc5a21cd7ab57a5ef1d5e4acc310cadb16f16fc4965f0a0a

    SHA512

    ff8743e3daee2ee8c838e800245030bcc756951dffc0c5edafeb34f9f8d6bcb97e52bc3fd66bbaf07dac0d7a37c4a454ea5ea4a10d3868151dd0749126cab486

    Download Submit

  • memory/2304-23-0x0000000000700000-0x0000000000706000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2304-17-0x0000000002200000-0x0000000002206000-memory.dmp

    Filesize

    24KB

    Download

  • memory/3820-0-0x0000000002EA0000-0x0000000002EA6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/3820-1-0x0000000002EA0000-0x0000000002EA6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/3820-2-0x0000000003150000-0x0000000003156000-memory.dmp

    Filesize

    24KB

    Download