Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
21/02/2024, 20:02
Static task
static1
Behavioral task
behavioral1
Sample
2024-02-21_e8974941966d70d535c208213c04ab8e_cryptolocker.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
2024-02-21_e8974941966d70d535c208213c04ab8e_cryptolocker.exe
Resource
win10v2004-20240221-en
General
-
Target
2024-02-21_e8974941966d70d535c208213c04ab8e_cryptolocker.exe
-
Size
47KB
-
MD5
e8974941966d70d535c208213c04ab8e
-
SHA1
1eae1d1d4123e4eb54c8a049176d4609ea75c997
-
SHA256
fc4a6d6ffd8c804ca15f2c22541c2e606b67739803611e47990dde023c2544af
-
SHA512
cb54b45bd2d54a53408ca04750528672b49f717a1dbc34b391e39d28a50e396081f2800ae6449d209f6b067b661137b987595802671d965b09a98bccdd843254
-
SSDEEP
768:bgX4zYcgTEu6QOaryfjqDlC6JFbK37YbDu5z/hLVdz:bgGYcA/53GAA6y37nbB5
Malware Config
Signatures
-
Detection of CryptoLocker Variants 1 IoCs
resource yara_rule behavioral1/files/0x000b000000012251-10.dat CryptoLocker_rule2 -
Executes dropped EXE 1 IoCs
pid Process 2980 hasfj.exe -
Loads dropped DLL 1 IoCs
pid Process 2316 2024-02-21_e8974941966d70d535c208213c04ab8e_cryptolocker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2316 wrote to memory of 2980 2316 2024-02-21_e8974941966d70d535c208213c04ab8e_cryptolocker.exe 28 PID 2316 wrote to memory of 2980 2316 2024-02-21_e8974941966d70d535c208213c04ab8e_cryptolocker.exe 28 PID 2316 wrote to memory of 2980 2316 2024-02-21_e8974941966d70d535c208213c04ab8e_cryptolocker.exe 28 PID 2316 wrote to memory of 2980 2316 2024-02-21_e8974941966d70d535c208213c04ab8e_cryptolocker.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-02-21_e8974941966d70d535c208213c04ab8e_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-02-21_e8974941966d70d535c208213c04ab8e_cryptolocker.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Users\Admin\AppData\Local\Temp\hasfj.exe"C:\Users\Admin\AppData\Local\Temp\hasfj.exe"2⤵
- Executes dropped EXE
PID:2980
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
47KB
MD535b930906ff61b4533fa1ba032fd2882
SHA1e865b5c4ac6f35a675cf7bb958a1441dfa3f5bef
SHA2560f7589792a778c738bf20e16230155666a36cd6529a7dcc2246b5dee3c538e32
SHA512b9e1defe4e71f664280756d8025543e63018bbd9eb1ca0196e50cf6eda8d827ebafb41677a11861b63c494d1b340304c0b28f957597400f3b22bc0a8bdd5b6be