Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
08/04/2024, 15:24
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-08_18b42dca86d3a8f4e5aa8bc4b6a3f2d6_cryptolocker.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-04-08_18b42dca86d3a8f4e5aa8bc4b6a3f2d6_cryptolocker.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-04-08_18b42dca86d3a8f4e5aa8bc4b6a3f2d6_cryptolocker.exe
-
Size
65KB
-
MD5
18b42dca86d3a8f4e5aa8bc4b6a3f2d6
-
SHA1
d71647602b66752c05763d2a12c22567206f3fe7
-
SHA256
c81d4a024057972cd3e8c8829b34fd8685e51493c3f5d3aa14f2f54659cc08a2
-
SHA512
d0040cc4b9a16e3b8d92a98deb3f990268b65d157e8b400df52ad810547c5c95473b6a2e3e2331d07afda2f0c103dbbbd37fe31e573b5fc99cfde557cb855ec4
-
SSDEEP
768:6Qz7yVEhs9+4OR7tOOtEvwDpjLHqPOYRmNxt5I52kGEO10KmJS:6j+1NMOtEvwDpjr8ox8UDEy0KmY
Malware Config
Signatures
-
Detection of CryptoLocker Variants 6 IoCs
resource yara_rule behavioral1/memory/1504-0-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_rule2 behavioral1/files/0x000a000000012254-11.dat CryptoLocker_rule2 behavioral1/memory/1504-12-0x0000000001FE0000-0x0000000001FEF000-memory.dmp CryptoLocker_rule2 behavioral1/memory/1504-15-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_rule2 behavioral1/memory/2272-17-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_rule2 behavioral1/memory/2272-27-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_rule2 -
Detection of Cryptolocker Samples 6 IoCs
resource yara_rule behavioral1/memory/1504-0-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_set1 behavioral1/files/0x000a000000012254-11.dat CryptoLocker_set1 behavioral1/memory/1504-12-0x0000000001FE0000-0x0000000001FEF000-memory.dmp CryptoLocker_set1 behavioral1/memory/1504-15-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_set1 behavioral1/memory/2272-17-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_set1 behavioral1/memory/2272-27-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_set1 -
Detects executables built or packed with MPress PE compressor 6 IoCs
resource yara_rule behavioral1/memory/1504-0-0x0000000000500000-0x000000000050F000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/files/0x000a000000012254-11.dat INDICATOR_EXE_Packed_MPress behavioral1/memory/1504-12-0x0000000001FE0000-0x0000000001FEF000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/1504-15-0x0000000000500000-0x000000000050F000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/2272-17-0x0000000000500000-0x000000000050F000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/2272-27-0x0000000000500000-0x000000000050F000-memory.dmp INDICATOR_EXE_Packed_MPress -
Executes dropped EXE 1 IoCs
pid Process 2272 misid.exe -
Loads dropped DLL 1 IoCs
pid Process 1504 2024-04-08_18b42dca86d3a8f4e5aa8bc4b6a3f2d6_cryptolocker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1504 wrote to memory of 2272 1504 2024-04-08_18b42dca86d3a8f4e5aa8bc4b6a3f2d6_cryptolocker.exe 28 PID 1504 wrote to memory of 2272 1504 2024-04-08_18b42dca86d3a8f4e5aa8bc4b6a3f2d6_cryptolocker.exe 28 PID 1504 wrote to memory of 2272 1504 2024-04-08_18b42dca86d3a8f4e5aa8bc4b6a3f2d6_cryptolocker.exe 28 PID 1504 wrote to memory of 2272 1504 2024-04-08_18b42dca86d3a8f4e5aa8bc4b6a3f2d6_cryptolocker.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-08_18b42dca86d3a8f4e5aa8bc4b6a3f2d6_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-08_18b42dca86d3a8f4e5aa8bc4b6a3f2d6_cryptolocker.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Users\Admin\AppData\Local\Temp\misid.exe"C:\Users\Admin\AppData\Local\Temp\misid.exe"2⤵
- Executes dropped EXE
PID:2272
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD5d890dc70c897c5d4c40170169cf716c0
SHA162f28357c361904f946c6813de41c954d9b8d87f
SHA256fea7ae99a4a166f123665edce9a2866ffa33ab9da8467c5c2c529ab3ca3ed66d
SHA512e284e7802216e46546f1be8a67b93cfba2226b08064e486b3cbfab43b988ab08d7059ebfe443fe3f1754f25fb508ef37e3cc356716a1de1fc3e9167f53729d4a