Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
01/05/2024, 08:29
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-01_20fcf2cdbfa76a2ef48d43930151c33c_cryptolocker.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-05-01_20fcf2cdbfa76a2ef48d43930151c33c_cryptolocker.exe
Resource
win10v2004-20240426-en
General
-
Target
2024-05-01_20fcf2cdbfa76a2ef48d43930151c33c_cryptolocker.exe
-
Size
48KB
-
MD5
20fcf2cdbfa76a2ef48d43930151c33c
-
SHA1
bad9e6b2f298517d20f97309f6782b96283dbc77
-
SHA256
d9bdb16f90d2b6596ce70a0b19b880e9b63cc0823fa594ad7f9acd69c39d6885
-
SHA512
1ab64552be57a939ece6187b9bd123b13447fded332814a61771a2c6dc04ffedca09619535820cc2b5060e182a9e979e14830670d458f28229a1aa41015aa238
-
SSDEEP
768:B9inqyNR/QtOOtEvwDpjBK/rJ+Nw8qnTb1AuU:B9mqyNhQMOtEvwDpjBxe8S1AZ
Malware Config
Signatures
-
Detection of CryptoLocker Variants 4 IoCs
resource yara_rule behavioral1/memory/1704-1-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_rule2 behavioral1/files/0x000b000000014e3d-11.dat CryptoLocker_rule2 behavioral1/memory/1704-16-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_rule2 behavioral1/memory/2264-17-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_rule2 -
Detection of Cryptolocker Samples 4 IoCs
resource yara_rule behavioral1/memory/1704-1-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_set1 behavioral1/files/0x000b000000014e3d-11.dat CryptoLocker_set1 behavioral1/memory/1704-16-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_set1 behavioral1/memory/2264-17-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_set1 -
Executes dropped EXE 1 IoCs
pid Process 2264 asih.exe -
Loads dropped DLL 1 IoCs
pid Process 1704 2024-05-01_20fcf2cdbfa76a2ef48d43930151c33c_cryptolocker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1704 wrote to memory of 2264 1704 2024-05-01_20fcf2cdbfa76a2ef48d43930151c33c_cryptolocker.exe 28 PID 1704 wrote to memory of 2264 1704 2024-05-01_20fcf2cdbfa76a2ef48d43930151c33c_cryptolocker.exe 28 PID 1704 wrote to memory of 2264 1704 2024-05-01_20fcf2cdbfa76a2ef48d43930151c33c_cryptolocker.exe 28 PID 1704 wrote to memory of 2264 1704 2024-05-01_20fcf2cdbfa76a2ef48d43930151c33c_cryptolocker.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-01_20fcf2cdbfa76a2ef48d43930151c33c_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-01_20fcf2cdbfa76a2ef48d43930151c33c_cryptolocker.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Users\Admin\AppData\Local\Temp\asih.exe"C:\Users\Admin\AppData\Local\Temp\asih.exe"2⤵
- Executes dropped EXE
PID:2264
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
48KB
MD5252b23872a3845eb0b66796eceff29e6
SHA15514098dba7fb2533e02e3c5a820f65585611c5a
SHA256d5ea0821ef8cbb11566f6f1ff04b84bcb0e5044f7402bc86eb9bc62d92ad3fd3
SHA51231a8e905829e1ef74fe789eeb00d92964d08638b380cac5db719892d8a535429a93fe0b5b587926d21e0648146e47d954bcdd18c3fd86df7aed4f119505b7f89