Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
18/01/2024, 23:23
Static task
static1
Behavioral task
behavioral1
Sample
2024-01-18_d1acab556b7caba505c8a950611eeab3_cryptolocker.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
2024-01-18_d1acab556b7caba505c8a950611eeab3_cryptolocker.exe
Resource
win10v2004-20231215-en
General
-
Target
2024-01-18_d1acab556b7caba505c8a950611eeab3_cryptolocker.exe
-
Size
84KB
-
MD5
d1acab556b7caba505c8a950611eeab3
-
SHA1
a381fbd1935ce15b089966347fdcdcbf1bede478
-
SHA256
5015d98708c958001224270994170f9c5b3110169c1c1b28311f3908a7d00f28
-
SHA512
15b2c07832780592ad9ca8c2a6c1ac25bdf5459ea386fb433ee1a4936eda55ab237c8358474c9186cc42e8ec624de7d34062beddace2aff9b324c086c437f33b
-
SSDEEP
768:XS5nQJ24LR1bytOOtEvwDpjNbZ7uyA36S7MpxRXrZSUfFKazNclMjNUvA9:i5nkFGMOtEvwDpjNbwQEI8UtzNcO8A9
Malware Config
Signatures
-
Detection of CryptoLocker Variants 5 IoCs
resource yara_rule behavioral1/memory/1252-0-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_rule2 behavioral1/files/0x000e00000001224c-11.dat CryptoLocker_rule2 behavioral1/memory/1252-15-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_rule2 behavioral1/memory/112-18-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_rule2 behavioral1/memory/112-27-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_rule2 -
Detection of Cryptolocker Samples 3 IoCs
resource yara_rule behavioral1/memory/1252-15-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_set1 behavioral1/memory/112-18-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_set1 behavioral1/memory/112-27-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_set1 -
Detects executables built or packed with MPress PE compressor 5 IoCs
resource yara_rule behavioral1/memory/1252-0-0x0000000000500000-0x000000000050F000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/files/0x000e00000001224c-11.dat INDICATOR_EXE_Packed_MPress behavioral1/memory/1252-15-0x0000000000500000-0x000000000050F000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/112-18-0x0000000000500000-0x000000000050F000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/112-27-0x0000000000500000-0x000000000050F000-memory.dmp INDICATOR_EXE_Packed_MPress -
Executes dropped EXE 1 IoCs
pid Process 112 misid.exe -
Loads dropped DLL 1 IoCs
pid Process 1252 2024-01-18_d1acab556b7caba505c8a950611eeab3_cryptolocker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1252 wrote to memory of 112 1252 2024-01-18_d1acab556b7caba505c8a950611eeab3_cryptolocker.exe 28 PID 1252 wrote to memory of 112 1252 2024-01-18_d1acab556b7caba505c8a950611eeab3_cryptolocker.exe 28 PID 1252 wrote to memory of 112 1252 2024-01-18_d1acab556b7caba505c8a950611eeab3_cryptolocker.exe 28 PID 1252 wrote to memory of 112 1252 2024-01-18_d1acab556b7caba505c8a950611eeab3_cryptolocker.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-01-18_d1acab556b7caba505c8a950611eeab3_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-01-18_d1acab556b7caba505c8a950611eeab3_cryptolocker.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Users\Admin\AppData\Local\Temp\misid.exe"C:\Users\Admin\AppData\Local\Temp\misid.exe"2⤵
- Executes dropped EXE
PID:112
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
84KB
MD58c36f9ec358f597df1f6798c8c066dad
SHA1374e9d9ff5e25912b9c13e55d643ee685395f52d
SHA2563b01eb8c4a6bfe50d7bbf0b56a5e51fcd2ade92e9992f9409ca1d7f139b946bc
SHA5122d18a8c399c147a0e11c7a176a26d972edda3e237d2e8b0c74ede9962b967897784a2580f0a9f0afd0c3ef5b444f94df737102e6e3851a5e9b400ff68831c436