Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
14/08/2024, 14:48
Static task
static1
Behavioral task
behavioral1
Sample
2024-08-14_39742afbb7012fca37c63075354b445a_cryptolocker.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
2024-08-14_39742afbb7012fca37c63075354b445a_cryptolocker.exe
Resource
win10v2004-20240802-en
General
-
Target
2024-08-14_39742afbb7012fca37c63075354b445a_cryptolocker.exe
-
Size
50KB
-
MD5
39742afbb7012fca37c63075354b445a
-
SHA1
77d80c4327983fa120be7e3879eac2eb4bca7fe5
-
SHA256
324de0083623b5ad750af6542da44c1b7be46da6035cc2e2fe32d91ea53015c6
-
SHA512
454da9d95b8d6c45028e4079e941a2058a0d23f766fdbcc35a97b9a77c9b656b80a62b4e57850d4225daa18e0ce4926d980f34e26126df5211662d6d7ccdf57c
-
SSDEEP
384:icX+ni9VCr5nQI021q4VQBqURYp055TOtOOtEvwDpjqIGR/hHi7/OlI0G/74zpzT:XS5nQJ24LR1bytOOtEvwDpjNbP/0Gehh
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2060 misid.exe -
Loads dropped DLL 1 IoCs
pid Process 2380 2024-08-14_39742afbb7012fca37c63075354b445a_cryptolocker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-08-14_39742afbb7012fca37c63075354b445a_cryptolocker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language misid.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2380 wrote to memory of 2060 2380 2024-08-14_39742afbb7012fca37c63075354b445a_cryptolocker.exe 30 PID 2380 wrote to memory of 2060 2380 2024-08-14_39742afbb7012fca37c63075354b445a_cryptolocker.exe 30 PID 2380 wrote to memory of 2060 2380 2024-08-14_39742afbb7012fca37c63075354b445a_cryptolocker.exe 30 PID 2380 wrote to memory of 2060 2380 2024-08-14_39742afbb7012fca37c63075354b445a_cryptolocker.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-08-14_39742afbb7012fca37c63075354b445a_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-08-14_39742afbb7012fca37c63075354b445a_cryptolocker.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Users\Admin\AppData\Local\Temp\misid.exe"C:\Users\Admin\AppData\Local\Temp\misid.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2060
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
50KB
MD55ceffbad0b9051687f748cc5ed2d0728
SHA15b845748eadc25491fd04da95b75b44fb7465937
SHA256a1e7035068d093d0cb59fb56ea65486f3ec86854f18efac0ce00f960ed85238d
SHA512d58d1299bd21a4385718d1e3ec00130a4e19afa0bad754666ee8da1eb2e555dfb0733065464c5d447ae56ef526ddd299a26fab8c3748b586aa3fe4380f54b872