Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
0s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
09/01/2024, 06:37
Behavioral task
behavioral1
Sample
2024-01-08_1a1279a80c9f22d1f0a4d0fc8e86b6c3_cryptolocker.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
2024-01-08_1a1279a80c9f22d1f0a4d0fc8e86b6c3_cryptolocker.exe
Resource
win10v2004-20231222-en
General
-
Target
2024-01-08_1a1279a80c9f22d1f0a4d0fc8e86b6c3_cryptolocker.exe
-
Size
91KB
-
MD5
1a1279a80c9f22d1f0a4d0fc8e86b6c3
-
SHA1
98993b458de66f8f8cb92d0d2be3cf2739957372
-
SHA256
a661c12cdda38384bafed713d1a76e9db76123eac9c3c745aa2148134942c41d
-
SHA512
82be3ffa610996c42e8bfe68384e673eed19687193b75099aa66d2bd316adf532c5d8641e5f98936497aa387c61acd0d6d99a7d538ac96deda905811e17fce7c
-
SSDEEP
1536:qkmnpomddpMOtEvwDpjJGYQbN/PKwNgp01K:AnBdOOtEvwDpj6zM
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1528 asih.exe -
Loads dropped DLL 1 IoCs
pid Process 2112 2024-01-08_1a1279a80c9f22d1f0a4d0fc8e86b6c3_cryptolocker.exe -
resource yara_rule behavioral1/memory/2112-1-0x0000000000500000-0x000000000050F000-memory.dmp upx behavioral1/memory/1528-25-0x0000000000500000-0x000000000050F000-memory.dmp upx behavioral1/files/0x000c000000011fde-24.dat upx behavioral1/memory/2112-15-0x0000000000500000-0x000000000050F000-memory.dmp upx behavioral1/files/0x000c000000011fde-14.dat upx behavioral1/files/0x000c000000011fde-11.dat upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2112 wrote to memory of 1528 2112 2024-01-08_1a1279a80c9f22d1f0a4d0fc8e86b6c3_cryptolocker.exe 14 PID 2112 wrote to memory of 1528 2112 2024-01-08_1a1279a80c9f22d1f0a4d0fc8e86b6c3_cryptolocker.exe 14 PID 2112 wrote to memory of 1528 2112 2024-01-08_1a1279a80c9f22d1f0a4d0fc8e86b6c3_cryptolocker.exe 14 PID 2112 wrote to memory of 1528 2112 2024-01-08_1a1279a80c9f22d1f0a4d0fc8e86b6c3_cryptolocker.exe 14
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-01-08_1a1279a80c9f22d1f0a4d0fc8e86b6c3_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-01-08_1a1279a80c9f22d1f0a4d0fc8e86b6c3_cryptolocker.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Users\Admin\AppData\Local\Temp\asih.exe"C:\Users\Admin\AppData\Local\Temp\asih.exe"2⤵
- Executes dropped EXE
PID:1528
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD597a3f352fa15ffe31601bd0598642563
SHA16ec50c0cc7b0162de2f240d5a26476d47fdadd49
SHA25666a0e618a7e8cda430bd50a002ee016a6357cb2153ac906453a87a42537b6e8e
SHA512c32f233b6929d6186bf4bdeb882ec9f393c060b8ae81d479558a03cc402c91541d473e1178548dc7cb7c3355ad303e986640f18bb2599282e45528b29393823f
-
Filesize
5KB
MD53c0e25dcb8a5d4052322fad2bca96ab2
SHA101a78250096567cb1d4c78b1a65e8e23c058e4c0
SHA256b81b617b2a3079cae18f44ef5d41fbf8fc3fff08be75867e5a3c190592f09e3d
SHA5121a69b318e6148d39e3ad4da86c5e9f0cf9e4cdaa16731981a404e547882b59e891bfa7fc67f59cf8d77ae19c9b30863edd7155fc644c6f500e7f01083839720c
-
Filesize
18KB
MD589f4b48b15b1c1562b49ebd727936560
SHA15ee2ce2df38037f1a10543459150c3d8d99fd927
SHA2567af298fc4ef133778e0fdc57da14c60ac8885a09943ecce65a2db309a6e3f2be
SHA5123f92da2cf9263def2f922b9ccf3755b946ff23fed378564c5377d5491493a41f0303feb62524fe23d244479af0c95eeee17bbab81f180c541677d85e31f0c968