Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
15s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
16/09/2024, 06:01
Behavioral task
behavioral1
Sample
Ransom.Win32.Tescrypt.exe
Resource
win7-20240903-en
General
-
Target
Ransom.Win32.Tescrypt.exe
-
Size
68KB
-
MD5
ea181c784d007ed62403d5a6c766a610
-
SHA1
a0edb8ef1fd5674a36adc48c218ae951cf17d1c3
-
SHA256
deddb8383fc1b2f35138408351d07b090b9bd8dd3bd43e04d5c3ffd42a6d003a
-
SHA512
34e7c090f22544f01e416c560bdd510bfcba9e0d002567c6050dfd748000abef1bf61d6704f0cde481f0ac90a62134a3b1cd8c6041708152de2a190422c6572a
-
SSDEEP
1536:fgWJBwVSclkxvodVSXq7vTFtb47XPArcxvgLLqZ10CmuJdr:fgWJi1kxvqVCq7LFtE7/ArcxkOZ1Bbdr
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2176 Ransom.Win32.Tescrypt.exe -
Executes dropped EXE 1 IoCs
pid Process 2176 Ransom.Win32.Tescrypt.exe -
Loads dropped DLL 1 IoCs
pid Process 2276 Ransom.Win32.Tescrypt.exe -
resource yara_rule behavioral1/memory/2276-0-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral1/files/0x0008000000012101-10.dat upx behavioral1/memory/2276-12-0x00000000001F0000-0x000000000022A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ransom.Win32.Tescrypt.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2276 Ransom.Win32.Tescrypt.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2276 Ransom.Win32.Tescrypt.exe 2176 Ransom.Win32.Tescrypt.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2276 wrote to memory of 2176 2276 Ransom.Win32.Tescrypt.exe 30 PID 2276 wrote to memory of 2176 2276 Ransom.Win32.Tescrypt.exe 30 PID 2276 wrote to memory of 2176 2276 Ransom.Win32.Tescrypt.exe 30 PID 2276 wrote to memory of 2176 2276 Ransom.Win32.Tescrypt.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\Ransom.Win32.Tescrypt.exe"C:\Users\Admin\AppData\Local\Temp\Ransom.Win32.Tescrypt.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Users\Admin\AppData\Local\Temp\Ransom.Win32.Tescrypt.exeC:\Users\Admin\AppData\Local\Temp\Ransom.Win32.Tescrypt.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:2176
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
68KB
MD58dd58a04dd612b151a12237cc1b8f51a
SHA10678ee4abb5697ac3b6a7ca26256cfe8108fd63b
SHA256419fba3da38978b857eddeecee40fe8fcd62503ee5532ceeb836f62ea264c2c5
SHA51226dc1c8835e47892f4d59cbde5a8b431803e1e36f4377d9a96f54c27f484ccac3fcb77e78b77b708068fda4769f69e0e7cd03281dbe0a8b06a32c98d395ac855