Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
21/04/2024, 04:43
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-21_f1dcbe6a90fe3fd9e8ed08f72d50f09e_cryptolocker.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
2024-04-21_f1dcbe6a90fe3fd9e8ed08f72d50f09e_cryptolocker.exe
Resource
win10v2004-20240412-en
General
-
Target
2024-04-21_f1dcbe6a90fe3fd9e8ed08f72d50f09e_cryptolocker.exe
-
Size
39KB
-
MD5
f1dcbe6a90fe3fd9e8ed08f72d50f09e
-
SHA1
caacaefe77e2e10527e3f2d632a52a60295e08da
-
SHA256
c1eb02f5ae27591cf35bc4d1a3fa1c1c5a2850ca322c0fbb6a761e17b01ce76c
-
SHA512
61be6082a9d24482efef1e346f439d70a14d619363d92e3473a225af70a48c4766fcec563f26d13a910f51bc0e6c70dc3a5b718e649b2a0092dbd36f41cb6f7b
-
SSDEEP
768:wHGGaSawqnwjRQ6ESlmFOsPoOdQtOOtEvwDpjm6WaJIOc+UPPEkLNWR:YGzl5wjRQBBOsP1QMOtEvwDpjgarrkLA
Malware Config
Signatures
-
Detection of CryptoLocker Variants 4 IoCs
resource yara_rule behavioral1/memory/2368-0-0x0000000000500000-0x000000000050B000-memory.dmp CryptoLocker_rule2 behavioral1/files/0x0009000000014120-11.dat CryptoLocker_rule2 behavioral1/memory/2368-15-0x0000000000500000-0x000000000050B000-memory.dmp CryptoLocker_rule2 behavioral1/memory/1716-16-0x0000000000500000-0x000000000050B000-memory.dmp CryptoLocker_rule2 -
Detection of Cryptolocker Samples 4 IoCs
resource yara_rule behavioral1/memory/2368-0-0x0000000000500000-0x000000000050B000-memory.dmp CryptoLocker_set1 behavioral1/files/0x0009000000014120-11.dat CryptoLocker_set1 behavioral1/memory/2368-15-0x0000000000500000-0x000000000050B000-memory.dmp CryptoLocker_set1 behavioral1/memory/1716-16-0x0000000000500000-0x000000000050B000-memory.dmp CryptoLocker_set1 -
Executes dropped EXE 1 IoCs
pid Process 1716 asih.exe -
Loads dropped DLL 1 IoCs
pid Process 2368 2024-04-21_f1dcbe6a90fe3fd9e8ed08f72d50f09e_cryptolocker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2368 wrote to memory of 1716 2368 2024-04-21_f1dcbe6a90fe3fd9e8ed08f72d50f09e_cryptolocker.exe 28 PID 2368 wrote to memory of 1716 2368 2024-04-21_f1dcbe6a90fe3fd9e8ed08f72d50f09e_cryptolocker.exe 28 PID 2368 wrote to memory of 1716 2368 2024-04-21_f1dcbe6a90fe3fd9e8ed08f72d50f09e_cryptolocker.exe 28 PID 2368 wrote to memory of 1716 2368 2024-04-21_f1dcbe6a90fe3fd9e8ed08f72d50f09e_cryptolocker.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-21_f1dcbe6a90fe3fd9e8ed08f72d50f09e_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-21_f1dcbe6a90fe3fd9e8ed08f72d50f09e_cryptolocker.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Users\Admin\AppData\Local\Temp\asih.exe"C:\Users\Admin\AppData\Local\Temp\asih.exe"2⤵
- Executes dropped EXE
PID:1716
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
39KB
MD523c66acb42540af84ca4eff7a0d0753f
SHA19aab876895787c39f9eb0ceb67615e100f38c270
SHA256e1c433e7809baa5d304ba00da3463910e5485d7c3d409e65fafe3629d7d1b9f1
SHA512a2af1a3fa048d5f677a0ce4b1af9d30283525494d31b758d9537a327e53a2960f77f89f83510aa6c3901242d06fd0384e403c09018e6ba8acf6f50ef6b1b8d3b