Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
133s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
05/09/2024, 11:07
Behavioral task
behavioral1
Sample
2024-09-05_909a250c720704210af136aaccf90f81_cryptolocker.exe
Resource
win7-20240903-en
General
-
Target
2024-09-05_909a250c720704210af136aaccf90f81_cryptolocker.exe
-
Size
62KB
-
MD5
909a250c720704210af136aaccf90f81
-
SHA1
3ef4153d918d8ccb09f5dbf75f441f2dab253467
-
SHA256
288d52e344a85b748a648bbb322e5c54957f4ce31aed0a54f4c439a16b88936e
-
SHA512
8a43c2ce9fbfb9c8a2e8c5cc21e78ba31249a4079088d057e8fdcc1cb7951ebb9655353c4ccd5cf49f90f08efe621d9669e61f3cbf7d2a0568ccc1811673c676
-
SSDEEP
768:H6LsoEEeegiZPvEhHSG+gk5NQXtckstOOtEvwDpjhBaD3TUogs/VXpAP3qhE:H6QFElP6n+gou9cvMOtEvwDpjCpVXhhE
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2052 asih.exe -
Loads dropped DLL 1 IoCs
pid Process 1636 2024-09-05_909a250c720704210af136aaccf90f81_cryptolocker.exe -
resource yara_rule behavioral1/memory/1636-0-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral1/files/0x0007000000012117-11.dat upx behavioral1/memory/2052-16-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral1/memory/1636-15-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral1/memory/2052-26-0x0000000000500000-0x0000000000510000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-09-05_909a250c720704210af136aaccf90f81_cryptolocker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language asih.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1636 wrote to memory of 2052 1636 2024-09-05_909a250c720704210af136aaccf90f81_cryptolocker.exe 28 PID 1636 wrote to memory of 2052 1636 2024-09-05_909a250c720704210af136aaccf90f81_cryptolocker.exe 28 PID 1636 wrote to memory of 2052 1636 2024-09-05_909a250c720704210af136aaccf90f81_cryptolocker.exe 28 PID 1636 wrote to memory of 2052 1636 2024-09-05_909a250c720704210af136aaccf90f81_cryptolocker.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-09-05_909a250c720704210af136aaccf90f81_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-09-05_909a250c720704210af136aaccf90f81_cryptolocker.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Users\Admin\AppData\Local\Temp\asih.exe"C:\Users\Admin\AppData\Local\Temp\asih.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2052
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
62KB
MD506aecf3eaddb88f5750c4bbf86b50cb0
SHA11e70c163f9344511ab6d3916a1189edde38432a3
SHA256f5a282ad3dd8b0a40a60c80ed892d526b1184631f3bebb0e7bdc2451f9ec7fd5
SHA5126de5afaf4bb1d40e18518d7ca3ffb843b6ce33004ca865b4baa2aa780804a776aaa05db4109b74b5d5fc392c385508971c710f4ad669a93a447e45aba3499aaa