Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
29/03/2024, 17:56
Static task
static1
Behavioral task
behavioral1
Sample
2024-03-29_bfb12bc505ca7736641758ac7b36758b_cryptolocker.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-03-29_bfb12bc505ca7736641758ac7b36758b_cryptolocker.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-03-29_bfb12bc505ca7736641758ac7b36758b_cryptolocker.exe
-
Size
64KB
-
MD5
bfb12bc505ca7736641758ac7b36758b
-
SHA1
40386403a0552097580e60ceb22506c92d24d65e
-
SHA256
12dd746c4fb22315953508e7e85a0702c088607682e8da266f41379dc7d46e71
-
SHA512
72e8dc462484cc7579a573148c0eeb837fae61d89883ed5bb796b0d51c429e5cdd3c579db04aea3984194e7bfbb286a82cd3e09375723ad5fa9b29509b511df3
-
SSDEEP
768:6Qz7yVEhs9+4OR7tOOtEvwDpjLHqPOYRmNxt5I52kGEMpf:6j+1NMOtEvwDpjr8ox8UDEI
Malware Config
Signatures
-
Detection of CryptoLocker Variants 5 IoCs
resource yara_rule behavioral1/memory/2856-0-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_rule2 behavioral1/files/0x00050000000120e0-11.dat CryptoLocker_rule2 behavioral1/memory/2856-14-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_rule2 behavioral1/memory/2084-17-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_rule2 behavioral1/memory/2084-28-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_rule2 -
Detection of Cryptolocker Samples 5 IoCs
resource yara_rule behavioral1/memory/2856-0-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_set1 behavioral1/files/0x00050000000120e0-11.dat CryptoLocker_set1 behavioral1/memory/2856-14-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_set1 behavioral1/memory/2084-17-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_set1 behavioral1/memory/2084-28-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_set1 -
Detects executables built or packed with MPress PE compressor 5 IoCs
resource yara_rule behavioral1/memory/2856-0-0x0000000000500000-0x000000000050F000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/files/0x00050000000120e0-11.dat INDICATOR_EXE_Packed_MPress behavioral1/memory/2856-14-0x0000000000500000-0x000000000050F000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/2084-17-0x0000000000500000-0x000000000050F000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/2084-28-0x0000000000500000-0x000000000050F000-memory.dmp INDICATOR_EXE_Packed_MPress -
Executes dropped EXE 1 IoCs
pid Process 2084 misid.exe -
Loads dropped DLL 1 IoCs
pid Process 2856 2024-03-29_bfb12bc505ca7736641758ac7b36758b_cryptolocker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2856 wrote to memory of 2084 2856 2024-03-29_bfb12bc505ca7736641758ac7b36758b_cryptolocker.exe 28 PID 2856 wrote to memory of 2084 2856 2024-03-29_bfb12bc505ca7736641758ac7b36758b_cryptolocker.exe 28 PID 2856 wrote to memory of 2084 2856 2024-03-29_bfb12bc505ca7736641758ac7b36758b_cryptolocker.exe 28 PID 2856 wrote to memory of 2084 2856 2024-03-29_bfb12bc505ca7736641758ac7b36758b_cryptolocker.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-03-29_bfb12bc505ca7736641758ac7b36758b_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-29_bfb12bc505ca7736641758ac7b36758b_cryptolocker.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Users\Admin\AppData\Local\Temp\misid.exe"C:\Users\Admin\AppData\Local\Temp\misid.exe"2⤵
- Executes dropped EXE
PID:2084
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD5d6669ac16d0906a3749e3f9579686295
SHA1ad46c28f2ab888c806b39f3c215b74b24a9e61e2
SHA256dd7082697e9f668608062fe6a2f57340899afef87d1003134659974f309afb49
SHA5124e7651402ef1a48a173e12bacbdbe3e91d6ad804b4ff64f11c67cacb818403b7f8d7f4971b5aee6ef7cacff7a848130a064ad3810606b30747059bfd86efe487