Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21/09/2024, 18:44
Static task
static1
Behavioral task
behavioral1
Sample
2024-09-21_184fbe66971ee9a30b23b39c65f74c10_cryptolocker.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024-09-21_184fbe66971ee9a30b23b39c65f74c10_cryptolocker.exe
Resource
win10v2004-20240802-en
General
-
Target
2024-09-21_184fbe66971ee9a30b23b39c65f74c10_cryptolocker.exe
-
Size
70KB
-
MD5
184fbe66971ee9a30b23b39c65f74c10
-
SHA1
35c39fd08f189b5169362bdec6541b7d37cd9020
-
SHA256
63c11c6d3bc5b54de8a5ae1ca2d955f85fef034f7f148e584136545d4236f909
-
SHA512
59ff692b2ae4ef358e2d95b7809a9dd75a38e1b54efe08c4285ecc13942c69d1eef4b24f7cf8f005426397a1e7d68defb7409532c80f422c52022100bf5908af
-
SSDEEP
768:XS5nQJ24LR1bytOOtEvwDpjNbZ7uyA36S7MpxRXrZSUNsYD/d3:i5nkFGMOtEvwDpjNbwQEI8UZD9
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2080 misid.exe -
Loads dropped DLL 1 IoCs
pid Process 2336 2024-09-21_184fbe66971ee9a30b23b39c65f74c10_cryptolocker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-09-21_184fbe66971ee9a30b23b39c65f74c10_cryptolocker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language misid.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2336 wrote to memory of 2080 2336 2024-09-21_184fbe66971ee9a30b23b39c65f74c10_cryptolocker.exe 31 PID 2336 wrote to memory of 2080 2336 2024-09-21_184fbe66971ee9a30b23b39c65f74c10_cryptolocker.exe 31 PID 2336 wrote to memory of 2080 2336 2024-09-21_184fbe66971ee9a30b23b39c65f74c10_cryptolocker.exe 31 PID 2336 wrote to memory of 2080 2336 2024-09-21_184fbe66971ee9a30b23b39c65f74c10_cryptolocker.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-09-21_184fbe66971ee9a30b23b39c65f74c10_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-09-21_184fbe66971ee9a30b23b39c65f74c10_cryptolocker.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Users\Admin\AppData\Local\Temp\misid.exe"C:\Users\Admin\AppData\Local\Temp\misid.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2080
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
71KB
MD556c1b6af5670a860af8cbe59b28c75a0
SHA15aeb5b558c19c7ac3f1ae54da0ff08074198357d
SHA256c1e67f818172ab6c21294434acffcf243789f9e1a001b247935dbe6960b6ebfe
SHA5123d12353f4e3648aaa4b1128a51ede801038f718c205b752908ae7410ae4c2061ea38d36357be1382e5b5afee8a02682dfb83ec9e3220fc01c7f41d7f064bca7b