Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
20/06/2024, 04:23
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-20_3e4bcd3646436cb2c94fcabdbb8fa409_cryptolocker.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
2024-06-20_3e4bcd3646436cb2c94fcabdbb8fa409_cryptolocker.exe
Resource
win10v2004-20240508-en
General
-
Target
2024-06-20_3e4bcd3646436cb2c94fcabdbb8fa409_cryptolocker.exe
-
Size
45KB
-
MD5
3e4bcd3646436cb2c94fcabdbb8fa409
-
SHA1
609b6b96499e9e76340781668806bfd9e94c74ae
-
SHA256
87e2969f0834cbcb3302beef33a10259157fcbab16af383743900fcd5e9454c7
-
SHA512
f5e84196aad41efcc525523230c75219303fa3b70cfc2d132ff118d4d6837c3871a16d027fed1b3f7f3b83f9e43cbc0e64c5e69ae51949394fbe93af2de78684
-
SSDEEP
384:bm74uGLLQRcsdeQ72ngEr4K7YmE8jb0nrlwfjDUk3b+N3:bm74zYcgT/EkM0ryfjd3W3
Malware Config
Signatures
-
Detection of CryptoLocker Variants 5 IoCs
resource yara_rule behavioral1/memory/1068-0-0x0000000008000000-0x000000000800D000-memory.dmp CryptoLocker_rule2 behavioral1/files/0x000e00000001226c-11.dat CryptoLocker_rule2 behavioral1/memory/1068-15-0x0000000008000000-0x000000000800D000-memory.dmp CryptoLocker_rule2 behavioral1/memory/2924-16-0x0000000008000000-0x000000000800D000-memory.dmp CryptoLocker_rule2 behavioral1/memory/2924-26-0x0000000008000000-0x000000000800D000-memory.dmp CryptoLocker_rule2 -
Executes dropped EXE 1 IoCs
pid Process 2924 hasfj.exe -
Loads dropped DLL 1 IoCs
pid Process 1068 2024-06-20_3e4bcd3646436cb2c94fcabdbb8fa409_cryptolocker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1068 wrote to memory of 2924 1068 2024-06-20_3e4bcd3646436cb2c94fcabdbb8fa409_cryptolocker.exe 28 PID 1068 wrote to memory of 2924 1068 2024-06-20_3e4bcd3646436cb2c94fcabdbb8fa409_cryptolocker.exe 28 PID 1068 wrote to memory of 2924 1068 2024-06-20_3e4bcd3646436cb2c94fcabdbb8fa409_cryptolocker.exe 28 PID 1068 wrote to memory of 2924 1068 2024-06-20_3e4bcd3646436cb2c94fcabdbb8fa409_cryptolocker.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-20_3e4bcd3646436cb2c94fcabdbb8fa409_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-20_3e4bcd3646436cb2c94fcabdbb8fa409_cryptolocker.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Users\Admin\AppData\Local\Temp\hasfj.exe"C:\Users\Admin\AppData\Local\Temp\hasfj.exe"2⤵
- Executes dropped EXE
PID:2924
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
45KB
MD57aa91d52d5c2b2de583f772cd87bf607
SHA18bf96b57eb7d394eb7a57eea93f13393addfbc10
SHA25695549eafd4eed45f25bcec87615504917846af203e34250f07d0d4bdda14acaf
SHA512df278db30c6139bc07c3dffe4f301b14aaf07c49c208d613b2d634bd0abdac2c040a4176c8731707488ee0c6a9c9aa5399d70823ed2fc8cbdb3bab0d84fd2636