Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

2024-01-28...er.exe

windows7-x64

9

2024-01-28...er.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    147s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    28/01/2024, 18:23 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-01-28_1142eaa4e6ccccb6215ddbaa8fa2f028_cryptolocker.exe

  • Size

    73KB

  • MD5

    1142eaa4e6ccccb6215ddbaa8fa2f028

  • SHA1

    638e1b39028e61fe3f342b85cfaeb09fb70ffaab

  • SHA256

    37567f9e3d3a8377cff676be6e4fab8b641e264fbc09277b5714a305c2e75925

  • SHA512

    28e0f7a4c879d99064cdd8f14f1d3197c433dfe7fb2bcdc5b14a04f4367692debe61791a7adc486c324d82300a3bc1d0d41c33224c07cb17987729cdd33db053

  • SSDEEP

    1536:T6QFElP6n+gxmddpMOtEvwDpjwaxTNUOAkXtBdxPUxuR:T6a+rdOOtEvwDpjNtHPD

Score
9/10
upx

Malware Config

Signatures

  • Detection of CryptoLocker Variants 4 IoCs
  • Detection of Cryptolocker Samples 4 IoCs
  • UPX dump on OEP (original entry point) 4 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-01-28_1142eaa4e6ccccb6215ddbaa8fa2f028_cryptolocker.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-01-28_1142eaa4e6ccccb6215ddbaa8fa2f028_cryptolocker.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2800
    • C:\Users\Admin\AppData\Local\Temp\asih.exe
      "C:\Users\Admin\AppData\Local\Temp\asih.exe"
      2⤵
      • Executes dropped EXE
      PID:2056

Network

  • flag-us
    DNS
    emrlogistics.com
    asih.exe
    Remote address:
    8.8.8.8:53
    Request
    emrlogistics.com
    IN A
    Response
    emrlogistics.com
    IN CNAME
    traff-1.hugedomains.com
    traff-1.hugedomains.com
    IN CNAME
    hdr-nlb9-41371129e8304c29.elb.us-east-1.amazonaws.com
    hdr-nlb9-41371129e8304c29.elb.us-east-1.amazonaws.com
    IN A
    52.71.57.184
    hdr-nlb9-41371129e8304c29.elb.us-east-1.amazonaws.com
    IN A
    54.209.32.212
  • 52.71.57.184:443
    emrlogistics.com
    asih.exe
    152 B
     3
  • 54.209.32.212:443
    emrlogistics.com
    asih.exe
    152 B
     3
  • 52.71.57.184:443
    emrlogistics.com
    asih.exe
    152 B
     3
  • 54.209.32.212:443
    emrlogistics.com
    asih.exe
    152 B
     3
  • 52.71.57.184:443
    emrlogistics.com
    asih.exe
    152 B
     3
  • 54.209.32.212:443
    emrlogistics.com
    asih.exe
    152 B
     3
  • 52.71.57.184:443
    emrlogistics.com
    asih.exe
    152 B
     3
  • 54.209.32.212:443
    emrlogistics.com
    asih.exe
    52 B
     1
  • 8.8.8.8:53
    emrlogistics.com
    dns
    asih.exe
    62 B
     192 B
     1
    1

    DNS Request

    emrlogistics.com

    DNS Response

    52.71.57.184
    54.209.32.212

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\asih.exe
    Filesize

    74KB

    MD5

    6a4069dd4480d2c634f9e4f831086a4a

    SHA1

    0fd3c6675b1fd59b8c4ec127da5e6a6eb7950f10

    SHA256

    ba1cd424696979b5c1706c04b625945ac09d17cae169ff2f9ee9297a9f00ce95

    SHA512

    58ad319c0298bd6bef2c04140eb9bf735e90692c0de6d851b62163a2886e2147e5d82ef27a151a4adcb9d327117b4394bf163f00abfe9e6b3bbeed470e5b1316

    Download Submit

  • memory/2056-24-0x00000000001D0000-0x00000000001D6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2056-25-0x0000000000500000-0x0000000000510000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2800-0-0x0000000000500000-0x0000000000510000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2800-1-0x0000000000240000-0x0000000000246000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2800-3-0x0000000000240000-0x0000000000246000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2800-2-0x0000000000290000-0x0000000000296000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2800-15-0x0000000000500000-0x0000000000510000-memory.dmp

    Filesize

    64KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.