Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
153s -
max time network
160s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
05/04/2024, 20:34
Behavioral task
behavioral1
Sample
2024-04-05_5903c1818823ac32de496c08bf75e227_cryptolocker.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-04-05_5903c1818823ac32de496c08bf75e227_cryptolocker.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-04-05_5903c1818823ac32de496c08bf75e227_cryptolocker.exe
-
Size
63KB
-
MD5
5903c1818823ac32de496c08bf75e227
-
SHA1
b793839c76bbae1fd968585dabff7d34419378a8
-
SHA256
4f36558b30a0c30138d276ad1e5163e6e8c96fe67188a8eecc3b79c1d06925d5
-
SHA512
07695ad43c40f84e07c7e549bf803ddfbf7d573ca2f79b6f43e000c2f3802365990937e6ecf3f2f9dfcbe3c5696e6898dcf15b54d46095760934ddc2cbe02479
-
SSDEEP
768:zQz7yVEhs9+syJP6ntOOtEvwDpjFelaB7yBEY9Su8F5mnVwfX7:zj+soPSMOtEvwDpj4kpmeLmnw7
Malware Config
Signatures
-
Detection of CryptoLocker Variants 6 IoCs
resource yara_rule behavioral1/memory/840-0-0x0000000000500000-0x0000000000510000-memory.dmp CryptoLocker_rule2 behavioral1/memory/840-15-0x0000000000500000-0x0000000000510000-memory.dmp CryptoLocker_rule2 behavioral1/memory/840-13-0x00000000006F0000-0x0000000000700000-memory.dmp CryptoLocker_rule2 behavioral1/memory/3028-17-0x0000000000500000-0x0000000000510000-memory.dmp CryptoLocker_rule2 behavioral1/files/0x0008000000012247-11.dat CryptoLocker_rule2 behavioral1/memory/3028-27-0x0000000000500000-0x0000000000510000-memory.dmp CryptoLocker_rule2 -
Detection of Cryptolocker Samples 5 IoCs
resource yara_rule behavioral1/memory/840-0-0x0000000000500000-0x0000000000510000-memory.dmp CryptoLocker_set1 behavioral1/memory/840-15-0x0000000000500000-0x0000000000510000-memory.dmp CryptoLocker_set1 behavioral1/memory/3028-17-0x0000000000500000-0x0000000000510000-memory.dmp CryptoLocker_set1 behavioral1/files/0x0008000000012247-11.dat CryptoLocker_set1 behavioral1/memory/3028-27-0x0000000000500000-0x0000000000510000-memory.dmp CryptoLocker_set1 -
UPX dump on OEP (original entry point) 5 IoCs
resource yara_rule behavioral1/memory/840-0-0x0000000000500000-0x0000000000510000-memory.dmp UPX behavioral1/memory/840-15-0x0000000000500000-0x0000000000510000-memory.dmp UPX behavioral1/memory/3028-17-0x0000000000500000-0x0000000000510000-memory.dmp UPX behavioral1/files/0x0008000000012247-11.dat UPX behavioral1/memory/3028-27-0x0000000000500000-0x0000000000510000-memory.dmp UPX -
Executes dropped EXE 1 IoCs
pid Process 3028 misid.exe -
Loads dropped DLL 1 IoCs
pid Process 840 2024-04-05_5903c1818823ac32de496c08bf75e227_cryptolocker.exe -
resource yara_rule behavioral1/memory/840-0-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral1/memory/840-15-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral1/memory/3028-17-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral1/files/0x0008000000012247-11.dat upx behavioral1/memory/3028-27-0x0000000000500000-0x0000000000510000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 840 wrote to memory of 3028 840 2024-04-05_5903c1818823ac32de496c08bf75e227_cryptolocker.exe 28 PID 840 wrote to memory of 3028 840 2024-04-05_5903c1818823ac32de496c08bf75e227_cryptolocker.exe 28 PID 840 wrote to memory of 3028 840 2024-04-05_5903c1818823ac32de496c08bf75e227_cryptolocker.exe 28 PID 840 wrote to memory of 3028 840 2024-04-05_5903c1818823ac32de496c08bf75e227_cryptolocker.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-05_5903c1818823ac32de496c08bf75e227_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-05_5903c1818823ac32de496c08bf75e227_cryptolocker.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Users\Admin\AppData\Local\Temp\misid.exe"C:\Users\Admin\AppData\Local\Temp\misid.exe"2⤵
- Executes dropped EXE
PID:3028
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD57245ba12664d18f22df5f19cf0d0f207
SHA1c8c5b447670cf8b874f1ff410c17c5a9dcd2dd76
SHA25652f84d9f0f097069e683b0357ed604c297c028825c7b82dd8325979b7137ad81
SHA5125afcb5223b915e56b54ad0d2a18a508f4e7c20131b8779aa093ed56b3fc9c3c24aa7f45a85373f2e4178f198dd5bc00ac0c49db446ce4d0213a8a78f6a44e265