Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
131s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
02/08/2023, 18:32
Behavioral task
behavioral1
Sample
414d9a928f8967c5a91bf5d0133c97ed_cryptolocker_JC.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
414d9a928f8967c5a91bf5d0133c97ed_cryptolocker_JC.exe
Resource
win10v2004-20230703-en
General
-
Target
414d9a928f8967c5a91bf5d0133c97ed_cryptolocker_JC.exe
-
Size
87KB
-
MD5
414d9a928f8967c5a91bf5d0133c97ed
-
SHA1
41e1f407520068f4c8f0e20b4c59a448cf77f4c1
-
SHA256
3884e4e961a49ecffdf7bf2d0bb4bbbb10e758059a5a2e15f2c66975fd9b004a
-
SHA512
5f265aadb587cae7d034911ee1ba2c20d71549d1666d0eb8b61a96ff2be7180bf9bafc2db5f6ecd56a5f2861085c8a8788bf8c8fca6213b48765c773bf465b04
-
SSDEEP
1536:zj+soPSMOtEvwDpj4ktBl01hJl8QAPM8Ho6cRDjF:zCsanOtEvwDpjw
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 596 misid.exe -
Loads dropped DLL 1 IoCs
pid Process 1372 414d9a928f8967c5a91bf5d0133c97ed_cryptolocker_JC.exe -
resource yara_rule behavioral1/memory/1372-53-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral1/memory/1372-67-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral1/files/0x0008000000012022-64.dat upx behavioral1/memory/596-69-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral1/files/0x0008000000012022-68.dat upx behavioral1/files/0x0008000000012022-78.dat upx behavioral1/memory/596-79-0x0000000000500000-0x0000000000510000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1372 wrote to memory of 596 1372 414d9a928f8967c5a91bf5d0133c97ed_cryptolocker_JC.exe 28 PID 1372 wrote to memory of 596 1372 414d9a928f8967c5a91bf5d0133c97ed_cryptolocker_JC.exe 28 PID 1372 wrote to memory of 596 1372 414d9a928f8967c5a91bf5d0133c97ed_cryptolocker_JC.exe 28 PID 1372 wrote to memory of 596 1372 414d9a928f8967c5a91bf5d0133c97ed_cryptolocker_JC.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\414d9a928f8967c5a91bf5d0133c97ed_cryptolocker_JC.exe"C:\Users\Admin\AppData\Local\Temp\414d9a928f8967c5a91bf5d0133c97ed_cryptolocker_JC.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Users\Admin\AppData\Local\Temp\misid.exe"C:\Users\Admin\AppData\Local\Temp\misid.exe"2⤵
- Executes dropped EXE
PID:596
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
88KB
MD59b09a941d82792f72a313668d916654f
SHA16034168c3447449f6a4e0da92f96ad3dba56d44e
SHA256d0e5aa1d32c707c5fab3865cdb633bda832c5de93c551633805d3776c0305174
SHA512810a8da2a74aefa79a03f0a8a8de2c5ab93e6ac4fc23e689b4a9e4e4cb53c0b31427bcb4794e0a72a17276f497b7a18f089e043142c2b2e9f7515a0fdee6c65e
-
Filesize
88KB
MD59b09a941d82792f72a313668d916654f
SHA16034168c3447449f6a4e0da92f96ad3dba56d44e
SHA256d0e5aa1d32c707c5fab3865cdb633bda832c5de93c551633805d3776c0305174
SHA512810a8da2a74aefa79a03f0a8a8de2c5ab93e6ac4fc23e689b4a9e4e4cb53c0b31427bcb4794e0a72a17276f497b7a18f089e043142c2b2e9f7515a0fdee6c65e
-
Filesize
88KB
MD59b09a941d82792f72a313668d916654f
SHA16034168c3447449f6a4e0da92f96ad3dba56d44e
SHA256d0e5aa1d32c707c5fab3865cdb633bda832c5de93c551633805d3776c0305174
SHA512810a8da2a74aefa79a03f0a8a8de2c5ab93e6ac4fc23e689b4a9e4e4cb53c0b31427bcb4794e0a72a17276f497b7a18f089e043142c2b2e9f7515a0fdee6c65e