Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

2024-05-05...er.exe

windows7-x64

9

2024-05-05...er.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    05/05/2024, 15:50 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-05-05_58b6b7815e797321bafd69e1a0628462_cryptolocker.exe

  • Size

    38KB

  • MD5

    58b6b7815e797321bafd69e1a0628462

  • SHA1

    7963c0bba072daa72b5e9c0a116d216957df67b3

  • SHA256

    da7b0113d386a467bfbe2f6c32a29de9b6ed091d0c505d567a2c3634d45f1a35

  • SHA512

    dfe6a0599a597e84129e9a0e525bbd1c5810193e593ae594d783509752a2f8b4709beaed68da50424e190a57b1b9cb584ff8b8b3f3f2915668e22ba7f7aaef62

  • SSDEEP

    768:q7PdFecFS5agQtOOtEvwDpjeMLZdzuqpXsiE8Wq/DpkITY/s:qDdFJy3QMOtEvwDpjjWMl7TR

Score
9/10
upx

Malware Config

Signatures

  • Detection of CryptoLocker Variants 5 IoCs
  • Detection of Cryptolocker Samples 5 IoCs
  • UPX dump on OEP (original entry point) 5 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-05-05_58b6b7815e797321bafd69e1a0628462_cryptolocker.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-05-05_58b6b7815e797321bafd69e1a0628462_cryptolocker.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1784
    • C:\Users\Admin\AppData\Local\Temp\asih.exe
      "C:\Users\Admin\AppData\Local\Temp\asih.exe"
      2⤵
      • Executes dropped EXE
      PID:2744

Network

  • flag-us
    DNS
    emrlogistics.com
    asih.exe
    Remote address:
    8.8.8.8:53
    Request
    emrlogistics.com
    IN A
    Response
    emrlogistics.com
    IN CNAME
    traff-6.hugedomains.com
    traff-6.hugedomains.com
    IN CNAME
    hdr-nlb10-d66bbad0736f8259.elb.us-east-2.amazonaws.com
    hdr-nlb10-d66bbad0736f8259.elb.us-east-2.amazonaws.com
    IN A
    3.140.13.188
    hdr-nlb10-d66bbad0736f8259.elb.us-east-2.amazonaws.com
    IN A
    18.119.154.66
  • 3.140.13.188:443
    emrlogistics.com
    asih.exe
    152 B
     3
  • 18.119.154.66:443
    emrlogistics.com
    asih.exe
    152 B
     3
  • 3.140.13.188:443
    emrlogistics.com
    asih.exe
    152 B
     3
  • 18.119.154.66:443
    emrlogistics.com
    asih.exe
    152 B
     3
  • 3.140.13.188:443
    emrlogistics.com
    asih.exe
    152 B
     3
  • 18.119.154.66:443
    emrlogistics.com
    asih.exe
    152 B
     3
  • 3.140.13.188:443
    emrlogistics.com
    asih.exe
    152 B
     3
  • 18.119.154.66:443
    emrlogistics.com
    asih.exe
    52 B
     1
  • 8.8.8.8:53
    emrlogistics.com
    dns
    asih.exe
    62 B
     193 B
     1
    1

    DNS Request

    emrlogistics.com

    DNS Response

    3.140.13.188
    18.119.154.66

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\asih.exe
    Filesize

    38KB

    MD5

    0725b755ea070ef918e61c46341dc5a5

    SHA1

    e382fc45ddd5329d037c9ce94a0bb1c5b6ba51af

    SHA256

    427fe42ee4bc4b59d7040fd096f7fd5cab6e71f5f34015253d82a11f011a07d0

    SHA512

    bfc7bfb14e3d62868a52667a05e8c4486fd79e5393b1a2c62ae4edc24c0926584081953c305c75d7bda16592779b20187434800e54fe4311d6b41f62d12d5a01

    Download Submit

  • memory/1784-0-0x0000000000500000-0x0000000000510000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1784-2-0x0000000000290000-0x0000000000296000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1784-1-0x00000000001D0000-0x00000000001D6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1784-9-0x00000000001D0000-0x00000000001D6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1784-13-0x0000000002AC0000-0x0000000002AD0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1784-17-0x0000000000500000-0x0000000000510000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2744-26-0x0000000000500000-0x0000000000510000-memory.dmp

    Filesize

    64KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.