Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
31/05/2024, 23:33
Behavioral task
behavioral1
Sample
2024-05-31_7cb318f9d4b86cf44be7ecadf528d3ea_cryptolocker.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
2024-05-31_7cb318f9d4b86cf44be7ecadf528d3ea_cryptolocker.exe
Resource
win10v2004-20240426-en
General
-
Target
2024-05-31_7cb318f9d4b86cf44be7ecadf528d3ea_cryptolocker.exe
-
Size
39KB
-
MD5
7cb318f9d4b86cf44be7ecadf528d3ea
-
SHA1
6e13ded0b67e8d215b85a9405bf2e33598e83301
-
SHA256
de2785df4b535d61b8ad23bc1b46c235619ecfc7880f31963d6aa49877381de6
-
SHA512
68aeb140434289a6f85792cab40dd37e79a9db8422c6dcc51fb37604ecd5cb6fac142a18055fd0b69e926bd549ca80603b33f8c8c0c7492751fb89baeb147bef
-
SSDEEP
768:q7PdFecFS5agQtOOtEvwDpjeMLZdzuqpXsiE8Wq/DpkITY7f:qDdFJy3QMOtEvwDpjjWMl7Tsf
Malware Config
Signatures
-
Detection of CryptoLocker Variants 4 IoCs
resource yara_rule behavioral1/memory/2364-8-0x0000000000500000-0x0000000000510000-memory.dmp CryptoLocker_rule2 behavioral1/files/0x000b00000001226d-15.dat CryptoLocker_rule2 behavioral1/memory/2576-16-0x0000000000500000-0x0000000000510000-memory.dmp CryptoLocker_rule2 behavioral1/memory/2576-25-0x0000000000500000-0x0000000000510000-memory.dmp CryptoLocker_rule2 -
Detection of Cryptolocker Samples 4 IoCs
resource yara_rule behavioral1/memory/2364-8-0x0000000000500000-0x0000000000510000-memory.dmp CryptoLocker_set1 behavioral1/files/0x000b00000001226d-15.dat CryptoLocker_set1 behavioral1/memory/2576-16-0x0000000000500000-0x0000000000510000-memory.dmp CryptoLocker_set1 behavioral1/memory/2576-25-0x0000000000500000-0x0000000000510000-memory.dmp CryptoLocker_set1 -
UPX dump on OEP (original entry point) 4 IoCs
resource yara_rule behavioral1/memory/2364-8-0x0000000000500000-0x0000000000510000-memory.dmp UPX behavioral1/files/0x000b00000001226d-15.dat UPX behavioral1/memory/2576-16-0x0000000000500000-0x0000000000510000-memory.dmp UPX behavioral1/memory/2576-25-0x0000000000500000-0x0000000000510000-memory.dmp UPX -
Executes dropped EXE 1 IoCs
pid Process 2576 asih.exe -
Loads dropped DLL 1 IoCs
pid Process 2364 2024-05-31_7cb318f9d4b86cf44be7ecadf528d3ea_cryptolocker.exe -
resource yara_rule behavioral1/memory/2364-8-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral1/files/0x000b00000001226d-15.dat upx behavioral1/memory/2576-16-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral1/memory/2576-25-0x0000000000500000-0x0000000000510000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2364 wrote to memory of 2576 2364 2024-05-31_7cb318f9d4b86cf44be7ecadf528d3ea_cryptolocker.exe 28 PID 2364 wrote to memory of 2576 2364 2024-05-31_7cb318f9d4b86cf44be7ecadf528d3ea_cryptolocker.exe 28 PID 2364 wrote to memory of 2576 2364 2024-05-31_7cb318f9d4b86cf44be7ecadf528d3ea_cryptolocker.exe 28 PID 2364 wrote to memory of 2576 2364 2024-05-31_7cb318f9d4b86cf44be7ecadf528d3ea_cryptolocker.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-31_7cb318f9d4b86cf44be7ecadf528d3ea_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-31_7cb318f9d4b86cf44be7ecadf528d3ea_cryptolocker.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Users\Admin\AppData\Local\Temp\asih.exe"C:\Users\Admin\AppData\Local\Temp\asih.exe"2⤵
- Executes dropped EXE
PID:2576
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
39KB
MD5c849ab0cb4e8e10ff689fce6d2d86399
SHA1ae2bcb8afb65dfb3deff220b9384192d7aa1f6b0
SHA256648b4a520ecc9e4eab8b18eae81c56ee0415e1dcbfa85b00da4a40a1b66c6b84
SHA512939ef57850a1fc8e0e5926cc48309f19a27302ba747adcd744aa8d8d61196781c1bcd851436bce5d1bbf7f084ee880fe34ee8c692c8e52d92e74dda989a55518