Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
14/10/2024, 03:38
Static task
static1
Behavioral task
behavioral1
Sample
2024-10-14_76050872e4d7a7b5c21c7c1c662188ba_cryptolocker.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024-10-14_76050872e4d7a7b5c21c7c1c662188ba_cryptolocker.exe
Resource
win10v2004-20241007-en
General
-
Target
2024-10-14_76050872e4d7a7b5c21c7c1c662188ba_cryptolocker.exe
-
Size
40KB
-
MD5
76050872e4d7a7b5c21c7c1c662188ba
-
SHA1
10d27a13d6161d0a28485d905ac473de6fc18aad
-
SHA256
43021caa35dbdb92ef1384630a586a7f88582b299ee6e53af2236d4a889e0aa7
-
SHA512
fdefec89def27d343be6c7cf179c9ed6c883bd0b76d0b84ac1691c36f34979d92adb4aada43641d350c0c812fe558d7423f01db1f9440f30e3012060007e9d81
-
SSDEEP
768:fTz7y3lhsT+hs1SQtOOtEvwDpjfAu9+4qNFl:fT+hsMQMOtEvwDpjoIHe
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2144 misid.exe -
Loads dropped DLL 1 IoCs
pid Process 2424 2024-10-14_76050872e4d7a7b5c21c7c1c662188ba_cryptolocker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-14_76050872e4d7a7b5c21c7c1c662188ba_cryptolocker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language misid.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2424 wrote to memory of 2144 2424 2024-10-14_76050872e4d7a7b5c21c7c1c662188ba_cryptolocker.exe 30 PID 2424 wrote to memory of 2144 2424 2024-10-14_76050872e4d7a7b5c21c7c1c662188ba_cryptolocker.exe 30 PID 2424 wrote to memory of 2144 2424 2024-10-14_76050872e4d7a7b5c21c7c1c662188ba_cryptolocker.exe 30 PID 2424 wrote to memory of 2144 2424 2024-10-14_76050872e4d7a7b5c21c7c1c662188ba_cryptolocker.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-14_76050872e4d7a7b5c21c7c1c662188ba_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-14_76050872e4d7a7b5c21c7c1c662188ba_cryptolocker.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Users\Admin\AppData\Local\Temp\misid.exe"C:\Users\Admin\AppData\Local\Temp\misid.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2144
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
40KB
MD5a21c7cbb9ba9d0dee558139661dd2283
SHA1889b34c9b75ee8c015585d2555c53ecac2dac470
SHA256f7925e77d7fb5e85b7bf842200970490ec4c12c2bd212762e283c54aa8c127c5
SHA512f8a32c68fb36132f932d2d7400e54442102c63e2826c57c3936030a5ed7f75c97fdb6038789ec4e79156c88c3a70e291611e1e3f3816dbd1514474e4881f3fc0