Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12/09/2024, 16:21
Behavioral task
behavioral1
Sample
2024-09-12_34c726f5704091aad5cd354b62e7e336_cryptolocker.exe
Resource
win7-20240903-en
General
-
Target
2024-09-12_34c726f5704091aad5cd354b62e7e336_cryptolocker.exe
-
Size
70KB
-
MD5
34c726f5704091aad5cd354b62e7e336
-
SHA1
fae06afa1768a69d568bc7ca4df301a575fa1e1f
-
SHA256
faeeb8fb48045652d8dbe0e538d95b3df44115fabca34b33f22efec59b3b6200
-
SHA512
b5e157e662bb90ca9e2e8238c1c19ceb9f72a31f53ee483666582a2ab0cacf0f3b4db4b704e289e5267ee42351e09c60c5fc60a4e92fd1922b782c2ce50f66ff
-
SSDEEP
1536:quJu9cvMOtEvwDpjWYTjipvF2bx1PQApI0u:78SEOtEvwDpjWYvQd2Pe
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2748 asih.exe -
Loads dropped DLL 1 IoCs
pid Process 2792 2024-09-12_34c726f5704091aad5cd354b62e7e336_cryptolocker.exe -
resource yara_rule behavioral1/memory/2792-0-0x0000000000500000-0x000000000050F000-memory.dmp upx behavioral1/files/0x000b000000012029-11.dat upx behavioral1/memory/2792-17-0x0000000000500000-0x000000000050F000-memory.dmp upx behavioral1/memory/2748-27-0x0000000000500000-0x000000000050F000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-09-12_34c726f5704091aad5cd354b62e7e336_cryptolocker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language asih.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2792 wrote to memory of 2748 2792 2024-09-12_34c726f5704091aad5cd354b62e7e336_cryptolocker.exe 28 PID 2792 wrote to memory of 2748 2792 2024-09-12_34c726f5704091aad5cd354b62e7e336_cryptolocker.exe 28 PID 2792 wrote to memory of 2748 2792 2024-09-12_34c726f5704091aad5cd354b62e7e336_cryptolocker.exe 28 PID 2792 wrote to memory of 2748 2792 2024-09-12_34c726f5704091aad5cd354b62e7e336_cryptolocker.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-09-12_34c726f5704091aad5cd354b62e7e336_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-09-12_34c726f5704091aad5cd354b62e7e336_cryptolocker.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Users\Admin\AppData\Local\Temp\asih.exe"C:\Users\Admin\AppData\Local\Temp\asih.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2748
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
71KB
MD55b0c0925336718ab1e1c4ae451a40469
SHA1b84997455a3a0ef83f6998c7c8b9e0c1b7ecf87f
SHA2562019ed2dbf5831d829c3d824ffc049c489e917f2e68558776738ccaea3401813
SHA5129849451328db74c8783467b9e4790b6c715ded97f551cedf93b98afdc3af6a17de0856ddf24e392342fb5bd6de8140c5f2a61ac6e832594db5de7c48b56566fd