Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
12s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
23/02/2024, 12:51
Static task
static1
Behavioral task
behavioral1
Sample
2024-02-23_a149418ee29df4dde05b41d2222699bc_cryptolocker.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-02-23_a149418ee29df4dde05b41d2222699bc_cryptolocker.exe
Resource
win10v2004-20240221-en
General
-
Target
2024-02-23_a149418ee29df4dde05b41d2222699bc_cryptolocker.exe
-
Size
39KB
-
MD5
a149418ee29df4dde05b41d2222699bc
-
SHA1
5b6b4a2744336b64285beae1723710a429a2dcef
-
SHA256
228e913b3a21f68b1649e71d6e947b4596db6bd7d3dacdc224c0dfb087fe6892
-
SHA512
c2d2b675aaa05947c37d4128dcdea6019822143e04da3b79005bb56cdd900472c05ee99a06952226154c31f81529fa45e71072c585b34fc5da31ed7a76083b55
-
SSDEEP
384:bM7Q0pjC4GybxMv01d3AcASBQMf6i/zzzcYgUPSznHzl6AJvDSuYlxujsFw5:b/yC4GyNM01GuQMNXw2PSjHPbSuYlaJ5
Malware Config
Signatures
-
Detection of CryptoLocker Variants 1 IoCs
resource yara_rule behavioral1/files/0x000a000000012240-10.dat CryptoLocker_rule2 -
Executes dropped EXE 1 IoCs
pid Process 1920 retln.exe -
Loads dropped DLL 1 IoCs
pid Process 624 2024-02-23_a149418ee29df4dde05b41d2222699bc_cryptolocker.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of UnmapMainImage 2 IoCs
pid Process 624 2024-02-23_a149418ee29df4dde05b41d2222699bc_cryptolocker.exe 1920 retln.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 624 wrote to memory of 1920 624 2024-02-23_a149418ee29df4dde05b41d2222699bc_cryptolocker.exe 28 PID 624 wrote to memory of 1920 624 2024-02-23_a149418ee29df4dde05b41d2222699bc_cryptolocker.exe 28 PID 624 wrote to memory of 1920 624 2024-02-23_a149418ee29df4dde05b41d2222699bc_cryptolocker.exe 28 PID 624 wrote to memory of 1920 624 2024-02-23_a149418ee29df4dde05b41d2222699bc_cryptolocker.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-02-23_a149418ee29df4dde05b41d2222699bc_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-02-23_a149418ee29df4dde05b41d2222699bc_cryptolocker.exe"1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Users\Admin\AppData\Local\Temp\retln.exe"C:\Users\Admin\AppData\Local\Temp\retln.exe"2⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:1920
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
39KB
MD566e265f539eda4c87789f8fb8f333ca0
SHA1888e961d6bd7ac92fa832bb6ab5cf6cf07c7cc87
SHA2568af8cecb7ae45ff3c473b87b19ec8e6da6c9195d8f2a4dc13fb294f2e8ecf294
SHA5127aeb1b626180cb5d4efdcdd56149bb73f524e99295782e1dc8c7bc673b13457293751950966501894bff5c92bf69982af248e0b334cb3b75d591a8b97f14db43