Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    24/01/2024, 03:29 UTC

General

  • Target

    2024-01-24_2eaa19f1f553a26538f62b873fc044b6_cryptolocker.exe

  • Size

    72KB

  • MD5

    2eaa19f1f553a26538f62b873fc044b6

  • SHA1

    5852d16ae7eb6f1cfdbcaf39806a1dd47d4c73c1

  • SHA256

    cfd61ccef0f2339102ded1f11792ed37f459736299330ba51f70623380be6713

  • SHA512

    4d7c2feef7d63a5b5f6b865ff4e778d7a4f5eb922c22dcbdc39e64ed8a97ff656efd8b0d4f124f63dadd826f6f742b97b4444823ddcb8bbca8dd9ab24a92fbb5

  • SSDEEP

    1536:X6QFElP6n+gJQMOtEvwDpjBZYTjipvF2bx1Me:X6a+SOtEvwDpjBZYvQd2j

Score
9/10

Malware Config

Signatures

  • Detection of CryptoLocker Variants 1 IoCs
  • Detection of Cryptolocker Samples 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-01-24_2eaa19f1f553a26538f62b873fc044b6_cryptolocker.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-01-24_2eaa19f1f553a26538f62b873fc044b6_cryptolocker.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1680
    • C:\Users\Admin\AppData\Local\Temp\asih.exe
      "C:\Users\Admin\AppData\Local\Temp\asih.exe"
      2⤵
      • Executes dropped EXE
      PID:2296

Network

  • flag-us
    DNS
    emrlogistics.com
    asih.exe
    Remote address:
    8.8.8.8:53
    Request
    emrlogistics.com
    IN A
    Response
    emrlogistics.com
    IN CNAME
    traff-1.hugedomains.com
    traff-1.hugedomains.com
    IN CNAME
    hdr-nlb9-41371129e8304c29.elb.us-east-1.amazonaws.com
    hdr-nlb9-41371129e8304c29.elb.us-east-1.amazonaws.com
    IN A
    54.209.32.212
    hdr-nlb9-41371129e8304c29.elb.us-east-1.amazonaws.com
    IN A
    52.71.57.184
  • 54.209.32.212:443
    emrlogistics.com
    asih.exe
    152 B
    3
  • 52.71.57.184:443
    emrlogistics.com
    asih.exe
    152 B
    3
  • 54.209.32.212:443
    emrlogistics.com
    asih.exe
    152 B
    3
  • 52.71.57.184:443
    emrlogistics.com
    asih.exe
    152 B
    3
  • 54.209.32.212:443
    emrlogistics.com
    asih.exe
    152 B
    3
  • 52.71.57.184:443
    emrlogistics.com
    asih.exe
    152 B
    3
  • 54.209.32.212:443
    emrlogistics.com
    asih.exe
    152 B
    3
  • 52.71.57.184:443
    emrlogistics.com
    asih.exe
    52 B
    1
  • 8.8.8.8:53
    emrlogistics.com
    dns
    asih.exe
    62 B
    192 B
    1
    1

    DNS Request

    emrlogistics.com

    DNS Response

    54.209.32.212
    52.71.57.184

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\asih.exe

    Filesize

    72KB

    MD5

    77f3a33dffd08f3b15825b78693c1817

    SHA1

    4dba4f5eb71c39e2a3e9e1efe1b722e54e7a4c8f

    SHA256

    8273f041a64e0da91f90a6dab5c283129fa2117d64a5620a2117e391a3f07cb7

    SHA512

    c86bf1e3c707b8392fad339f586f976c03eef908491e177d5d9be68e08ad444e5def123c33c5ded6127dc92c0929b4a417512923cbcaa20426f911c597b95042

  • memory/1680-0-0x0000000000320000-0x0000000000326000-memory.dmp

    Filesize

    24KB

  • memory/1680-1-0x0000000000460000-0x0000000000466000-memory.dmp

    Filesize

    24KB

  • memory/1680-4-0x0000000000320000-0x0000000000326000-memory.dmp

    Filesize

    24KB

  • memory/2296-15-0x0000000000530000-0x0000000000536000-memory.dmp

    Filesize

    24KB

  • memory/2296-20-0x00000000004E0000-0x00000000004E6000-memory.dmp

    Filesize

    24KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.