Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
09/07/2024, 20:22
Static task
static1
Behavioral task
behavioral1
Sample
2024-07-09_47b1e786d29ff9302166dbb22439cb21_cryptolocker.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
2024-07-09_47b1e786d29ff9302166dbb22439cb21_cryptolocker.exe
Resource
win10v2004-20240709-en
General
-
Target
2024-07-09_47b1e786d29ff9302166dbb22439cb21_cryptolocker.exe
-
Size
50KB
-
MD5
47b1e786d29ff9302166dbb22439cb21
-
SHA1
be339f3ff4521db72f55b5dce27d1f733a4e4426
-
SHA256
ff70a07217ac2544fb8093dc593fe85e68230e465fd0de8d497963f6bbf60c73
-
SHA512
ac5471ef68db5e527f6d19256529feb107e753c4f6b9da1d0e2c55e820fa9f072d32656b4328726e31949452300e480deb6bc9259ec599e69a072576b45904be
-
SSDEEP
768:vQz7yVEhs9+js1SQtOOtEvwDpjz9+4/Uth8igNrr42A7n0FmB0nU:vj+jsMQMOtEvwDpj5HczerLO04B/
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1716 misid.exe -
Loads dropped DLL 1 IoCs
pid Process 1792 2024-07-09_47b1e786d29ff9302166dbb22439cb21_cryptolocker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1792 wrote to memory of 1716 1792 2024-07-09_47b1e786d29ff9302166dbb22439cb21_cryptolocker.exe 30 PID 1792 wrote to memory of 1716 1792 2024-07-09_47b1e786d29ff9302166dbb22439cb21_cryptolocker.exe 30 PID 1792 wrote to memory of 1716 1792 2024-07-09_47b1e786d29ff9302166dbb22439cb21_cryptolocker.exe 30 PID 1792 wrote to memory of 1716 1792 2024-07-09_47b1e786d29ff9302166dbb22439cb21_cryptolocker.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-07-09_47b1e786d29ff9302166dbb22439cb21_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-07-09_47b1e786d29ff9302166dbb22439cb21_cryptolocker.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Users\Admin\AppData\Local\Temp\misid.exe"C:\Users\Admin\AppData\Local\Temp\misid.exe"2⤵
- Executes dropped EXE
PID:1716
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
50KB
MD56a52f87b2f9ea45c5ac7b80bd2564f4b
SHA1e4300334a2e0716fc59a008d38487074be214a53
SHA256657d11e34c24e65772945d1612650b5b33af6bab4dcb85bd2a2551d87b6ebc10
SHA512e276685718e4998173a47ffa8534eec62b4c7769fa97d87f92cb2cdc4a99fb24aa7aa5badda29ccd5f6b8494b2703cec0fb9a0999b2e2ae0007f9f6fcf4a52d7