Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/04/2024, 05:30 UTC

General

  • Target

    2024-04-17_1e098a91f5deba98f586a01e2b2206ba_cryptolocker.exe

  • Size

    33KB

  • MD5

    1e098a91f5deba98f586a01e2b2206ba

  • SHA1

    5063a0c4f10761292b4eb8bf8def94ff00034b2f

  • SHA256

    0bc398c17feb0dc8a948419b48eb013cc133e2c14bd83e27974ae394f555f377

  • SHA512

    bc69df6db67952696e1ba387cace5fd3959003650b2b9279e542f5eafe30821564b7b32c8da18963344f3b53dce22d1e681d91cb3675412b0e4fda2dc43f9116

  • SSDEEP

    384:bAvMaNGh4z7CG3POOvbRSLoF/F0QU5XYFnufc/zzo6cuM9gxrW:bAvJCYOOvbRPDEgXRcuM9gxa

Score
9/10

Malware Config

Signatures

  • Detection of CryptoLocker Variants 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-17_1e098a91f5deba98f586a01e2b2206ba_cryptolocker.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-17_1e098a91f5deba98f586a01e2b2206ba_cryptolocker.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4788
    • C:\Users\Admin\AppData\Local\Temp\demka.exe
      "C:\Users\Admin\AppData\Local\Temp\demka.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      PID:1408

Network

  • flag-us
    DNS
    0.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    0.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    82.90.14.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    82.90.14.23.in-addr.arpa
    IN PTR
    Response
    82.90.14.23.in-addr.arpa
    IN PTR
    a23-14-90-82deploystaticakamaitechnologiescom
  • flag-us
    DNS
    ttms.org
    demka.exe
    Remote address:
    8.8.8.8:53
    Request
    ttms.org
    IN A
    Response
    ttms.org
    IN A
    35.215.114.222
  • flag-us
    GET
    https://ttms.org/config/UKo8.exe
    demka.exe
    Remote address:
    35.215.114.222:443
    Request
    GET /config/UKo8.exe HTTP/1.1
    Accept: text/*, application/*
    User-Agent: Updates downloader
    Host: ttms.org
    Cache-Control: no-cache
    Response
    HTTP/1.1 404 Not Found
    Server: nginx
    Date: Wed, 17 Apr 2024 05:31:04 GMT
    Content-Type: text/html
    Transfer-Encoding: chunked
    Connection: keep-alive
    Vary: Accept-Encoding
    X-Httpd: 1
    Host-Header: 8441280b0c35cbc1147f8ba998a563a7
    X-Proxy-Cache: HIT
  • flag-us
    DNS
    9.228.82.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    9.228.82.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    222.114.215.35.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    222.114.215.35.in-addr.arpa
    IN PTR
    Response
    222.114.215.35.in-addr.arpa
    IN PTR
    22211421535bcgoogleusercontentcom
  • flag-us
    DNS
    11.97.55.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    11.97.55.23.in-addr.arpa
    IN PTR
    Response
    11.97.55.23.in-addr.arpa
    IN PTR
    a23-55-97-11deploystaticakamaitechnologiescom
  • flag-us
    DNS
    21.114.53.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    21.114.53.23.in-addr.arpa
    IN PTR
    Response
    21.114.53.23.in-addr.arpa
    IN PTR
    a23-53-114-21deploystaticakamaitechnologiescom
  • flag-us
    DNS
    157.123.68.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    157.123.68.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    206.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    206.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    24.139.73.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    24.139.73.23.in-addr.arpa
    IN PTR
    Response
    24.139.73.23.in-addr.arpa
    IN PTR
    a23-73-139-24deploystaticakamaitechnologiescom
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    14.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    14.227.111.52.in-addr.arpa
    IN PTR
    Response
  • 35.215.114.222:443
    https://ttms.org/config/UKo8.exe
    tls, http
    demka.exe
    3.8kB
    90.7kB
    73
    69

    HTTP Request

    GET https://ttms.org/config/UKo8.exe

    HTTP Response

    404
  • 8.8.8.8:53
    0.159.190.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    0.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    82.90.14.23.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    82.90.14.23.in-addr.arpa

  • 8.8.8.8:53
    ttms.org
    dns
    demka.exe
    54 B
    70 B
    1
    1

    DNS Request

    ttms.org

    DNS Response

    35.215.114.222

  • 8.8.8.8:53
    9.228.82.20.in-addr.arpa
    dns
    70 B
    156 B
    1
    1

    DNS Request

    9.228.82.20.in-addr.arpa

  • 8.8.8.8:53
    222.114.215.35.in-addr.arpa
    dns
    73 B
    126 B
    1
    1

    DNS Request

    222.114.215.35.in-addr.arpa

  • 8.8.8.8:53
    11.97.55.23.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    11.97.55.23.in-addr.arpa

  • 8.8.8.8:53
    21.114.53.23.in-addr.arpa
    dns
    71 B
    135 B
    1
    1

    DNS Request

    21.114.53.23.in-addr.arpa

  • 8.8.8.8:53
    157.123.68.40.in-addr.arpa
    dns
    72 B
    146 B
    1
    1

    DNS Request

    157.123.68.40.in-addr.arpa

  • 8.8.8.8:53
    206.23.85.13.in-addr.arpa
    dns
    71 B
    145 B
    1
    1

    DNS Request

    206.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    24.139.73.23.in-addr.arpa
    dns
    71 B
    135 B
    1
    1

    DNS Request

    24.139.73.23.in-addr.arpa

  • 8.8.8.8:53
    14.227.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    14.227.111.52.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\demka.exe

    Filesize

    34KB

    MD5

    c412382b8f543f3d11ae17fd6e59b169

    SHA1

    fc00fb65d8c790fe093beb011ec0e58715c62895

    SHA256

    a0f7234c8e146726a9af0caaf249364badf34eefb5241f8cee4737cc74ab10fc

    SHA512

    89bf44da50a69b8a21568a1a80143b01db2fdcc5c742d5135359b12a12a0075826d47dd3a9d04419acf8bad41cef12cb9fa9b5ffabe2e45d6f5c646a31bf17a4

  • memory/1408-21-0x00000000005F0000-0x00000000005F6000-memory.dmp

    Filesize

    24KB

  • memory/4788-0-0x0000000000730000-0x0000000000736000-memory.dmp

    Filesize

    24KB

  • memory/4788-1-0x0000000000730000-0x0000000000736000-memory.dmp

    Filesize

    24KB

  • memory/4788-2-0x0000000000400000-0x0000000000406000-memory.dmp

    Filesize

    24KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.