Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240319-en -
resource tags
arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system -
submitted
27/03/2024, 17:49 UTC
Static task
static1
Behavioral task
behavioral1
Sample
15fe618d8e827be3368fde96b031e617f1b5d0a491e7f301197039274c27938e.exe
Resource
win7-20240319-en
Behavioral task
behavioral2
Sample
15fe618d8e827be3368fde96b031e617f1b5d0a491e7f301197039274c27938e.exe
Resource
win10v2004-20240319-en
General
-
Target
15fe618d8e827be3368fde96b031e617f1b5d0a491e7f301197039274c27938e.exe
-
Size
35KB
-
MD5
ef6aff1c3857293362924a4a7ffeb8ac
-
SHA1
5bcd17af196edfbee1a1ae8ded04807000dd5a3c
-
SHA256
15fe618d8e827be3368fde96b031e617f1b5d0a491e7f301197039274c27938e
-
SHA512
681d31bb1dd967cac47ec2d8ac240627d1242e87bc6d61588c214c39d30c3c9ef6bacf3235098db9491d58811cea725c02dc2e61459c66202ef39c460b76b8b6
-
SSDEEP
768:wHGGaSawqnwjRQ6ESlmFOsPoOdQtOOtEvwDpjm6WaJIOc+UPPb6b:YGzl5wjRQBBOsP1QMOtEvwDpjgarJb
Malware Config
Signatures
-
Detection of CryptoLocker Variants 3 IoCs
resource yara_rule behavioral2/memory/4644-0-0x0000000000500000-0x000000000050B000-memory.dmp CryptoLocker_rule2 behavioral2/files/0x000800000002335f-13.dat CryptoLocker_rule2 behavioral2/memory/4644-17-0x0000000000500000-0x000000000050B000-memory.dmp CryptoLocker_rule2 -
Detection of Cryptolocker Samples 3 IoCs
resource yara_rule behavioral2/memory/4644-0-0x0000000000500000-0x000000000050B000-memory.dmp CryptoLocker_set1 behavioral2/files/0x000800000002335f-13.dat CryptoLocker_set1 behavioral2/memory/4644-17-0x0000000000500000-0x000000000050B000-memory.dmp CryptoLocker_set1 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation 15fe618d8e827be3368fde96b031e617f1b5d0a491e7f301197039274c27938e.exe -
Executes dropped EXE 1 IoCs
pid Process 1784 asih.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4644 wrote to memory of 1784 4644 15fe618d8e827be3368fde96b031e617f1b5d0a491e7f301197039274c27938e.exe 95 PID 4644 wrote to memory of 1784 4644 15fe618d8e827be3368fde96b031e617f1b5d0a491e7f301197039274c27938e.exe 95 PID 4644 wrote to memory of 1784 4644 15fe618d8e827be3368fde96b031e617f1b5d0a491e7f301197039274c27938e.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\15fe618d8e827be3368fde96b031e617f1b5d0a491e7f301197039274c27938e.exe"C:\Users\Admin\AppData\Local\Temp\15fe618d8e827be3368fde96b031e617f1b5d0a491e7f301197039274c27938e.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4644 -
C:\Users\Admin\AppData\Local\Temp\asih.exe"C:\Users\Admin\AppData\Local\Temp\asih.exe"2⤵
- Executes dropped EXE
PID:1784
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4168 --field-trial-handle=2288,i,11069632825633797559,14829202121434726371,262144 --variations-seed-version /prefetch:81⤵PID:1600
Network
-
Remote address:8.8.8.8:53Request147.177.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request133.211.185.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestemrlogistics.comIN AResponseemrlogistics.comIN CNAMEtraff-6.hugedomains.comtraff-6.hugedomains.comIN CNAMEhdr-nlb10-d66bbad0736f8259.elb.us-east-2.amazonaws.comhdr-nlb10-d66bbad0736f8259.elb.us-east-2.amazonaws.comIN A3.140.13.188hdr-nlb10-d66bbad0736f8259.elb.us-east-2.amazonaws.comIN A18.119.154.66
-
Remote address:8.8.8.8:53Request9.228.82.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request105.211.222.173.in-addr.arpaIN PTRResponse105.211.222.173.in-addr.arpaIN PTRa173-222-211-105deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request41.110.16.96.in-addr.arpaIN PTRResponse41.110.16.96.in-addr.arpaIN PTRa96-16-110-41deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request13.86.106.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request196.249.167.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request86.23.85.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request198.187.3.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request18.134.221.88.in-addr.arpaIN PTRResponse18.134.221.88.in-addr.arpaIN PTRa88-221-134-18deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request5.179.17.96.in-addr.arpaIN PTRResponse5.179.17.96.in-addr.arpaIN PTRa96-17-179-5deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request107.211.222.173.in-addr.arpaIN PTRResponse107.211.222.173.in-addr.arpaIN PTRa173-222-211-107deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request26.35.223.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request19.229.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requesttse1.mm.bing.netIN AResponsetse1.mm.bing.netIN CNAMEmm-mm.bing.net.trafficmanager.netmm-mm.bing.net.trafficmanager.netIN CNAMEdual-a-0001.a-msedge.netdual-a-0001.a-msedge.netIN A204.79.197.200dual-a-0001.a-msedge.netIN A13.107.21.200
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239339388216_1SP7N5FKYH04QEW3Y&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239339388216_1SP7N5FKYH04QEW3Y&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 364778
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 4BAFC6F4DCB94CCF9EDA53C1946A8F60 Ref B: LON04EDGE1110 Ref C: 2024-03-27T17:51:46Z
date: Wed, 27 Mar 2024 17:51:46 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239339388217_1U4N1IRR5P78Z350M&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239339388217_1U4N1IRR5P78Z350M&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 577346
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: B4E451F136594BEF8F05AB99E32D0A97 Ref B: LON04EDGE1110 Ref C: 2024-03-27T17:51:46Z
date: Wed, 27 Mar 2024 17:51:46 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239340418539_1KFG8UNZE5MUR2Y24&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239340418539_1KFG8UNZE5MUR2Y24&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 374313
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 8E7E8CE22C894791925BAD20601E7F62 Ref B: LON04EDGE1110 Ref C: 2024-03-27T17:51:46Z
date: Wed, 27 Mar 2024 17:51:46 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239340418540_1UQTKN6JO04LNXB5Q&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239340418540_1UQTKN6JO04LNXB5Q&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 676162
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: AD1D697A400A4A42B3A3B8A4FE105ABA Ref B: LON04EDGE1110 Ref C: 2024-03-27T17:51:46Z
date: Wed, 27 Mar 2024 17:51:46 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239360266662_1HDPCEFCKT80ZHIEH&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239360266662_1HDPCEFCKT80ZHIEH&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 734405
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 6401DEE3EF014073AF80BC1607FFFC02 Ref B: LON04EDGE1110 Ref C: 2024-03-27T17:51:46Z
date: Wed, 27 Mar 2024 17:51:46 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239360266663_1E57D2H6MI54M9FR3&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239360266663_1E57D2H6MI54M9FR3&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 737668
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: B878399A3A994D369DFF8733E4F2188B Ref B: LON04EDGE1110 Ref C: 2024-03-27T17:51:46Z
date: Wed, 27 Mar 2024 17:51:46 GMT
-
Remote address:8.8.8.8:53Request209.80.50.20.in-addr.arpaIN PTRResponse
-
46 B 1
-
260 B 5
-
260 B 5
-
46 B 40 B 1 1
-
260 B 5
-
260 B 5
-
260 B 5
-
1.2kB 8.1kB 16 14
-
204.79.197.200:443https://tse1.mm.bing.net/th?id=OADD2.10239360266663_1E57D2H6MI54M9FR3&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90tls, http2128.4kB 3.6MB 2635 2630
HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239339388216_1SP7N5FKYH04QEW3Y&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239339388217_1U4N1IRR5P78Z350M&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239340418539_1KFG8UNZE5MUR2Y24&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239340418540_1UQTKN6JO04LNXB5Q&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239360266662_1HDPCEFCKT80ZHIEH&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90HTTP Response
200HTTP Response
200HTTP Response
200HTTP Response
200HTTP Response
200HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239360266663_1E57D2H6MI54M9FR3&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90HTTP Response
200 -
1.2kB 8.1kB 16 14
-
1.2kB 8.1kB 16 14
-
1.2kB 8.1kB 16 14
-
260 B 5
-
260 B 5
-
52 B 1
-
73 B 159 B 1 1
DNS Request
147.177.190.20.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
133.211.185.52.in-addr.arpa
-
62 B 193 B 1 1
DNS Request
emrlogistics.com
DNS Response
3.140.13.18818.119.154.66
-
70 B 156 B 1 1
DNS Request
9.228.82.20.in-addr.arpa
-
74 B 141 B 1 1
DNS Request
105.211.222.173.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
41.110.16.96.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
13.86.106.20.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
196.249.167.52.in-addr.arpa
-
70 B 144 B 1 1
DNS Request
86.23.85.13.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
198.187.3.20.in-addr.arpa
-
72 B 137 B 1 1
DNS Request
18.134.221.88.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
5.179.17.96.in-addr.arpa
-
74 B 141 B 1 1
DNS Request
107.211.222.173.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
26.35.223.20.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
19.229.111.52.in-addr.arpa
-
62 B 173 B 1 1
DNS Request
tse1.mm.bing.net
DNS Response
204.79.197.20013.107.21.200
-
71 B 157 B 1 1
DNS Request
209.80.50.20.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
35KB
MD5936d0589287f5718bbab3e40c38278bb
SHA1affc83e5301e34f30eaddbe04230cc98a0b593aa
SHA256f3eb17514730195a49e00d35ebaecb9dee20aebdc72c782e4551c1218f0b157a
SHA512cf57243b9380852935c96d5106875152ef65c1515a419d33522f37599ec803ade934c220ed37a43b21170669d29be7e81e5e2b22263c75f758907a9a459ff93d