Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

2024-04-15...er.exe

windows7-x64

9

2024-04-15...er.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/04/2024, 10:12 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-04-15_c86e753ecd2712a2f05f6a6291278235_cryptolocker.exe

  • Size

    36KB

  • MD5

    c86e753ecd2712a2f05f6a6291278235

  • SHA1

    64ca7fd4b10cee49ab9c334bc427a7b207a9bcd6

  • SHA256

    c7266d9f4a78f8871d9a56f7be6e9de591fe27c233e299836a43fa6b40b13c82

  • SHA512

    7b15efb19a4edc8c04e22b1621ec576b877369c1a5fc2a943fbe2c4724cdb08ac872415d48b56a7d65ef72e28119fa4a3528104257d2b400a9669bf6cbda942b

  • SSDEEP

    768:qUmnjFom/kLyMro2GtOOtEvwDpjeMLam5axKp:qUmnpomddpMOtEvwDpjjaYaq

Score
9/10
upx

Malware Config

Signatures

  • Detection of CryptoLocker Variants 4 IoCs
  • Detection of Cryptolocker Samples 4 IoCs
  • UPX dump on OEP (original entry point) 4 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-15_c86e753ecd2712a2f05f6a6291278235_cryptolocker.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-15_c86e753ecd2712a2f05f6a6291278235_cryptolocker.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4536
    • C:\Users\Admin\AppData\Local\Temp\asih.exe
      "C:\Users\Admin\AppData\Local\Temp\asih.exe"
      2⤵
      • Executes dropped EXE
      PID:3972

Network

  • flag-us
    DNS
    20.160.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    20.160.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    emrlogistics.com
    asih.exe
    Remote address:
    8.8.8.8:53
    Request
    emrlogistics.com
    IN A
    Response
    emrlogistics.com
    IN CNAME
    traff-2.hugedomains.com
    traff-2.hugedomains.com
    IN CNAME
    hdr-nlb5-4e815dd67a14bf7f.elb.us-east-2.amazonaws.com
    hdr-nlb5-4e815dd67a14bf7f.elb.us-east-2.amazonaws.com
    IN A
    3.130.204.160
    hdr-nlb5-4e815dd67a14bf7f.elb.us-east-2.amazonaws.com
    IN A
    3.130.253.23
  • flag-us
    DNS
    241.154.82.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.154.82.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
    Response
    g.bing.com
    IN CNAME
    g-bing-com.dual-a-0034.a-msedge.net
    g-bing-com.dual-a-0034.a-msedge.net
    IN CNAME
    dual-a-0034.dc-msedge.net
    dual-a-0034.dc-msedge.net
    IN A
    131.253.33.237
    dual-a-0034.dc-msedge.net
    IN A
    13.107.22.237
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=cea46a12266049c19f8850b2da611743&localId=w:FEA8F19F-01BE-DA76-49B1-72C0C15A5E1B&deviceId=6825832441142904&anid=
    Remote address:
    131.253.33.237:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=cea46a12266049c19f8850b2da611743&localId=w:FEA8F19F-01BE-DA76-49B1-72C0C15A5E1B&deviceId=6825832441142904&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MUID=0579A330973068CC0FFEB75296496902; domain=.bing.com; expires=Sat, 10-May-2025 10:12:32 GMT; path=/; SameSite=None; Secure; Priority=High;
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: AF9D27D60A254F18B7001CD704C0C80B Ref B: LON212050706051 Ref C: 2024-04-15T10:12:32Z
    date: Mon, 15 Apr 2024 10:12:32 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=cea46a12266049c19f8850b2da611743&localId=w:FEA8F19F-01BE-DA76-49B1-72C0C15A5E1B&deviceId=6825832441142904&anid=
    Remote address:
    131.253.33.237:443
    Request
    GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=cea46a12266049c19f8850b2da611743&localId=w:FEA8F19F-01BE-DA76-49B1-72C0C15A5E1B&deviceId=6825832441142904&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=0579A330973068CC0FFEB75296496902
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MSPTC=tCAca_g-p_TYYOg1-mZ08nELr98GSKvkekqel4vqDjo; domain=.bing.com; expires=Sat, 10-May-2025 10:12:32 GMT; path=/; Partitioned; secure; SameSite=None
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 57C2F6EDEAF14385BCACD1E05BE66432 Ref B: LON212050706051 Ref C: 2024-04-15T10:12:32Z
    date: Mon, 15 Apr 2024 10:12:32 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=cea46a12266049c19f8850b2da611743&localId=w:FEA8F19F-01BE-DA76-49B1-72C0C15A5E1B&deviceId=6825832441142904&anid=
    Remote address:
    131.253.33.237:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=cea46a12266049c19f8850b2da611743&localId=w:FEA8F19F-01BE-DA76-49B1-72C0C15A5E1B&deviceId=6825832441142904&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=0579A330973068CC0FFEB75296496902; MSPTC=tCAca_g-p_TYYOg1-mZ08nELr98GSKvkekqel4vqDjo
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 2196360DADD94B378ED194F7A3D5EB15 Ref B: LON212050706051 Ref C: 2024-04-15T10:12:33Z
    date: Mon, 15 Apr 2024 10:12:32 GMT
  • flag-us
    DNS
    237.33.253.131.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    237.33.253.131.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    55.36.223.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    55.36.223.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    21.114.53.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    21.114.53.23.in-addr.arpa
    IN PTR
    Response
    21.114.53.23.in-addr.arpa
    IN PTR
    a23-53-114-21deploystaticakamaitechnologiescom
  • flag-us
    DNS
    26.165.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    26.165.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    15.164.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    15.164.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    24.139.73.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    24.139.73.23.in-addr.arpa
    IN PTR
    Response
    24.139.73.23.in-addr.arpa
    IN PTR
    a23-73-139-24deploystaticakamaitechnologiescom
  • flag-us
    DNS
    0.204.248.87.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    0.204.248.87.in-addr.arpa
    IN PTR
    Response
    0.204.248.87.in-addr.arpa
    IN PTR
    https-87-248-204-0lhrllnwnet
  • 3.130.204.160:443
    emrlogistics.com
    asih.exe
    260 B
     5
  • 131.253.33.237:443
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=cea46a12266049c19f8850b2da611743&localId=w:FEA8F19F-01BE-DA76-49B1-72C0C15A5E1B&deviceId=6825832441142904&anid=
    tls, http2
    2.0kB
     9.2kB
     21
    18

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=cea46a12266049c19f8850b2da611743&localId=w:FEA8F19F-01BE-DA76-49B1-72C0C15A5E1B&deviceId=6825832441142904&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=cea46a12266049c19f8850b2da611743&localId=w:FEA8F19F-01BE-DA76-49B1-72C0C15A5E1B&deviceId=6825832441142904&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=cea46a12266049c19f8850b2da611743&localId=w:FEA8F19F-01BE-DA76-49B1-72C0C15A5E1B&deviceId=6825832441142904&anid=

    HTTP Response

    204
  • 3.130.253.23:443
    emrlogistics.com
    asih.exe
    260 B
     5
  • 20.231.121.79:80
    46 B
     1
  • 3.130.204.160:443
    emrlogistics.com
    asih.exe
    260 B
     5
  • 3.130.253.23:443
    emrlogistics.com
    asih.exe
    260 B
     5
  • 3.130.204.160:443
    emrlogistics.com
    asih.exe
    260 B
     5
  • 3.130.253.23:443
    emrlogistics.com
    asih.exe
    260 B
     5
  • 3.130.204.160:443
    emrlogistics.com
    asih.exe
    260 B
     5
  • 3.130.253.23:443
    emrlogistics.com
    asih.exe
    104 B
     2
  • 8.8.8.8:53
    20.160.190.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    20.160.190.20.in-addr.arpa

  • 8.8.8.8:53
    emrlogistics.com
    dns
    asih.exe
    62 B
     192 B
     1
    1

    DNS Request

    emrlogistics.com

    DNS Response

    3.130.204.160
    3.130.253.23

  • 8.8.8.8:53
    241.154.82.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    241.154.82.20.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    g.bing.com
    dns
    56 B
     173 B
     1
    1

    DNS Request

    g.bing.com

    DNS Response

    131.253.33.237
    13.107.22.237

  • 8.8.8.8:53
    237.33.253.131.in-addr.arpa
    dns
    73 B
     143 B
     1
    1

    DNS Request

    237.33.253.131.in-addr.arpa

  • 8.8.8.8:53
    55.36.223.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    55.36.223.20.in-addr.arpa

  • 8.8.8.8:53
    21.114.53.23.in-addr.arpa
    dns
    71 B
     135 B
     1
    1

    DNS Request

    21.114.53.23.in-addr.arpa

  • 8.8.8.8:53
    26.165.165.52.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    26.165.165.52.in-addr.arpa

  • 8.8.8.8:53
    15.164.165.52.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    15.164.165.52.in-addr.arpa

  • 8.8.8.8:53
    24.139.73.23.in-addr.arpa
    dns
    71 B
     135 B
     1
    1

    DNS Request

    24.139.73.23.in-addr.arpa

  • 8.8.8.8:53
    0.204.248.87.in-addr.arpa
    dns
    71 B
     116 B
     1
    1

    DNS Request

    0.204.248.87.in-addr.arpa

  • 8.8.8.8:53

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\asih.exe
    Filesize

    36KB

    MD5

    dc2144aaa5074e8bf3b4d85458fba9f7

    SHA1

    fb482443786abaa98df00397ff62d1e99d061caf

    SHA256

    d7fc082939362020c19cd53fd691ba3ba5fd3cfca3e887b71db41e24d073b84c

    SHA512

    d8d8de36638cef50d6ac2d80a008bb4743bdfb0719db3c0aa4c36e3717cd9d210cad198fadd66fb7136091da45c64978b3732230c4391b0d47d87b3b447c7b35

    Download Submit

  • memory/3972-19-0x00000000004F0000-0x00000000004F6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/3972-20-0x00000000004D0000-0x00000000004D6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/3972-26-0x0000000000500000-0x000000000050F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/4536-0-0x0000000000500000-0x000000000050F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/4536-1-0x00000000021C0000-0x00000000021C6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/4536-2-0x00000000021C0000-0x00000000021C6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/4536-3-0x00000000020E0000-0x00000000020E6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/4536-16-0x0000000000500000-0x000000000050F000-memory.dmp

    Filesize

    60KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.