Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
177s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
13/03/2024, 00:50
Static task
static1
Behavioral task
behavioral1
Sample
2024-03-13_97512fd53f2b734fdbee327d6cdff297_cryptolocker.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-03-13_97512fd53f2b734fdbee327d6cdff297_cryptolocker.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-03-13_97512fd53f2b734fdbee327d6cdff297_cryptolocker.exe
-
Size
5.5MB
-
MD5
97512fd53f2b734fdbee327d6cdff297
-
SHA1
efd56c8a61bb14fa0358cdc6e2c13eeea9fc9677
-
SHA256
f90b4bf6fd99960d7e5becc234c6bcfc813dbba8e8e7fd49232269982bf56923
-
SHA512
9c729d8ee67b56744348f4e729d88d3b072107e4c3ec381442ed4d3ff0b6621e2835c2ae88a2b061f49a745f5b4bf9b2fd03190ae2e1c9f2d9690e274b4aa236
-
SSDEEP
98304:B2TI98GkoP+kfhZ5Tgm7jdwg+Zl3dKxikhFmg+47eggcgiP05h2VC:OI1PvfhfhOZzkzmg+8egrghz
Malware Config
Signatures
-
Detection of CryptoLocker Variants 9 IoCs
resource yara_rule behavioral1/memory/3004-0-0x0000000000500000-0x0000000000D8A000-memory.dmp CryptoLocker_rule2 behavioral1/memory/3004-4-0x0000000000500000-0x0000000000D8A000-memory.dmp CryptoLocker_rule2 behavioral1/files/0x000b000000015c73-20.dat CryptoLocker_rule2 behavioral1/memory/3004-25-0x0000000000500000-0x0000000000D8A000-memory.dmp CryptoLocker_rule2 behavioral1/files/0x000b000000015c73-23.dat CryptoLocker_rule2 behavioral1/files/0x000b000000015c73-24.dat CryptoLocker_rule2 behavioral1/memory/1824-27-0x0000000000500000-0x0000000000D8A000-memory.dmp CryptoLocker_rule2 behavioral1/memory/1824-31-0x0000000000500000-0x0000000000D8A000-memory.dmp CryptoLocker_rule2 behavioral1/memory/1824-41-0x0000000000500000-0x0000000000D8A000-memory.dmp CryptoLocker_rule2 -
Detection of Cryptolocker Samples 5 IoCs
resource yara_rule behavioral1/memory/3004-4-0x0000000000500000-0x0000000000D8A000-memory.dmp CryptoLocker_set1 behavioral1/memory/3004-25-0x0000000000500000-0x0000000000D8A000-memory.dmp CryptoLocker_set1 behavioral1/memory/1824-27-0x0000000000500000-0x0000000000D8A000-memory.dmp CryptoLocker_set1 behavioral1/memory/1824-31-0x0000000000500000-0x0000000000D8A000-memory.dmp CryptoLocker_set1 behavioral1/memory/1824-41-0x0000000000500000-0x0000000000D8A000-memory.dmp CryptoLocker_set1 -
Executes dropped EXE 1 IoCs
pid Process 1824 asih.exe -
Loads dropped DLL 1 IoCs
pid Process 3004 2024-03-13_97512fd53f2b734fdbee327d6cdff297_cryptolocker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3004 2024-03-13_97512fd53f2b734fdbee327d6cdff297_cryptolocker.exe 1824 asih.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3004 wrote to memory of 1824 3004 2024-03-13_97512fd53f2b734fdbee327d6cdff297_cryptolocker.exe 27 PID 3004 wrote to memory of 1824 3004 2024-03-13_97512fd53f2b734fdbee327d6cdff297_cryptolocker.exe 27 PID 3004 wrote to memory of 1824 3004 2024-03-13_97512fd53f2b734fdbee327d6cdff297_cryptolocker.exe 27 PID 3004 wrote to memory of 1824 3004 2024-03-13_97512fd53f2b734fdbee327d6cdff297_cryptolocker.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-03-13_97512fd53f2b734fdbee327d6cdff297_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-13_97512fd53f2b734fdbee327d6cdff297_cryptolocker.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Users\Admin\AppData\Local\Temp\asih.exe"C:\Users\Admin\AppData\Local\Temp\asih.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1824
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD590943ee8c86ff72f4b49b2b7ad1b2c14
SHA13293638297bce274cdc6c0c42982e4ecb8e492ec
SHA2563d45c59213e4176019586c5ddbe201ad1953d89d60c91593fff8d860c58a4e02
SHA51244c75ea02d491270e96a7daa22672c26e5783c8c59b918c3eb184110fef97096fba37744b51a005fc86bf654646b0154eb554fbd973a2c54b6db99929a89e10c
-
Filesize
1.6MB
MD58e7f16a59299f6dfe783a4c070d90e09
SHA17c2e588889b06c16a022efd7cc5ff037932e4478
SHA256f976e37e7dbe912ab274a7507dcdb61e8c0f83ec277c6aaaa9a0fa00260a7208
SHA5122b6d6f329021768a53e5239d684d8e231947d3185953680098a6f999ff5dca8859518598b9ae0fd1713e4964ac59a523982d49ec88e85492370bfb8684d2d98e
-
Filesize
1.7MB
MD57e4e7eb2e82b04eeae9123cfe76b41a9
SHA1f476ce6e47a6cbadd0f81c8ed308b38d653e78ef
SHA256f6b743f7e35b57cc7dd17810ecbe18e118b2dc86eaac884c1151a71764097b3e
SHA51204a148db835061294b4dc1bad72b96faf08a4e963cf5939939838a4609e94cbd80cf8acc1c8783b887b0a325476d0c96032604cb5919f12bb65d34fad5997496