Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
03/05/2024, 15:29
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-03_986857b6e5dd207bdae00aa89bc35c9c_cryptolocker.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-05-03_986857b6e5dd207bdae00aa89bc35c9c_cryptolocker.exe
Resource
win10v2004-20240419-en
General
-
Target
2024-05-03_986857b6e5dd207bdae00aa89bc35c9c_cryptolocker.exe
-
Size
37KB
-
MD5
986857b6e5dd207bdae00aa89bc35c9c
-
SHA1
5abc792fa112537b55a94748df0b5774da8e05f7
-
SHA256
44c333534980e561f853b50225f51d4ba3faa6bd90f424f38986b52d4657cdd8
-
SHA512
6a2bdfb4ac75a3ab9a27a2c3398d2b63f84f2e59b3ef9bc8a9e47496b39228925ea6bb8415f918e363ecc4f10a3b48170418d9b228e49bc69ac19fe7537acb2a
-
SSDEEP
768:b7o/2n1TCraU6GD1a4Xt9bRU6zA6o36mI1k:bc/y2lLRU6zA6qp
Malware Config
Signatures
-
Detection of CryptoLocker Variants 1 IoCs
resource yara_rule behavioral1/files/0x000b000000012248-10.dat CryptoLocker_rule2 -
Executes dropped EXE 1 IoCs
pid Process 1788 rewok.exe -
Loads dropped DLL 1 IoCs
pid Process 912 2024-05-03_986857b6e5dd207bdae00aa89bc35c9c_cryptolocker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of UnmapMainImage 2 IoCs
pid Process 912 2024-05-03_986857b6e5dd207bdae00aa89bc35c9c_cryptolocker.exe 1788 rewok.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 912 wrote to memory of 1788 912 2024-05-03_986857b6e5dd207bdae00aa89bc35c9c_cryptolocker.exe 28 PID 912 wrote to memory of 1788 912 2024-05-03_986857b6e5dd207bdae00aa89bc35c9c_cryptolocker.exe 28 PID 912 wrote to memory of 1788 912 2024-05-03_986857b6e5dd207bdae00aa89bc35c9c_cryptolocker.exe 28 PID 912 wrote to memory of 1788 912 2024-05-03_986857b6e5dd207bdae00aa89bc35c9c_cryptolocker.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-03_986857b6e5dd207bdae00aa89bc35c9c_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-03_986857b6e5dd207bdae00aa89bc35c9c_cryptolocker.exe"1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:912 -
C:\Users\Admin\AppData\Local\Temp\rewok.exe"C:\Users\Admin\AppData\Local\Temp\rewok.exe"2⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:1788
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
37KB
MD52810f85a734549e387a0412f0257d8f7
SHA168c8bc6ca603fd0738a3173dde90acccff204102
SHA256a48b3559abe53a7548c40be796f2405cb12dad1b955fcfdd2d1a04bb3089848a
SHA5123cf3178307c394eb7127095e18825c8721645ae07f5d0caf1b9bfc3cacc1ad5cc10e2429586b6edef9d378d6a1928bbe2a71b9c83d1931780058a9143a4bf99e