Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
05/10/2024, 22:25
Static task
static1
Behavioral task
behavioral1
Sample
2024-10-05_5c6e8d87014d3bc9013a8d651d59691c_cryptolocker.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024-10-05_5c6e8d87014d3bc9013a8d651d59691c_cryptolocker.exe
Resource
win10v2004-20240802-en
General
-
Target
2024-10-05_5c6e8d87014d3bc9013a8d651d59691c_cryptolocker.exe
-
Size
51KB
-
MD5
5c6e8d87014d3bc9013a8d651d59691c
-
SHA1
7f5298bf980e6f3043ea31229f33497fd4e94c5e
-
SHA256
d9906c5fcc5d6bb2d11e5175194731139aa14f2d7526c402f29e4e58ff2591c5
-
SHA512
5121eeeb14de45ba44309b3fe7068f1ac66508b1bcbc2430997f64f66a04ec71f0f47e59698323af91e50272783bf99b32318d527a62f7fde8ba68a0ef24dfb7
-
SSDEEP
768:X6LsoEEeegiZPvEhHSG+gp/QtOOtEvwDpjBaaEqbIu556BlvsT4:X6QFElP6n+gJQMOtEvwDpjB0GIWSlvI4
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation 2024-10-05_5c6e8d87014d3bc9013a8d651d59691c_cryptolocker.exe -
Executes dropped EXE 1 IoCs
pid Process 3120 asih.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-05_5c6e8d87014d3bc9013a8d651d59691c_cryptolocker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language asih.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2484 wrote to memory of 3120 2484 2024-10-05_5c6e8d87014d3bc9013a8d651d59691c_cryptolocker.exe 82 PID 2484 wrote to memory of 3120 2484 2024-10-05_5c6e8d87014d3bc9013a8d651d59691c_cryptolocker.exe 82 PID 2484 wrote to memory of 3120 2484 2024-10-05_5c6e8d87014d3bc9013a8d651d59691c_cryptolocker.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-05_5c6e8d87014d3bc9013a8d651d59691c_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-05_5c6e8d87014d3bc9013a8d651d59691c_cryptolocker.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Users\Admin\AppData\Local\Temp\asih.exe"C:\Users\Admin\AppData\Local\Temp\asih.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3120
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
51KB
MD5d9d4a516489345faecdc841474a021cd
SHA1753df0b6c2fca2482c3ed0a0257b30ef5b3a446a
SHA25668c57800443d1c6db2702097b213b983be1aba78d6d8a8a5a6b25e2a9b64833c
SHA512e50aded34351aa09bc41381bb4e752d13622dde2a4d00cdde3a11d2f9b8ebfe64352c3cc7fb77cd0c9157e292dc3b3605f9944e00206fc967624966ec34c2d97