Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

2024-05-14...er.exe

windows7-x64

9

2024-05-14...er.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    14/05/2024, 04:35 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-05-14_80939618aee2469ac2b334ed4c85a2ba_cryptolocker.exe

  • Size

    65KB

  • MD5

    80939618aee2469ac2b334ed4c85a2ba

  • SHA1

    1df431c94890f8a6ff3c354c62ef83f93fcd7738

  • SHA256

    8c23fb2a9edd2c6b0a45ee2bc134a005d5f91e6abb334e955cea0579eaf34403

  • SHA512

    f15deef628045a69d8cac1469307a4d0d4b455eb7dfdea5b5502239f9a4ed8b8c5e5ffbe1b2a706892153cd14f532675e3e71cdcfc53ce3808548a1c5b876eda

  • SSDEEP

    1536:P8mnK6QFElP6n+gymddpMOtEvwDpjYZ8xG:1nK6a+qdOOtEvwDpjk

Score
9/10
upx

Malware Config

Signatures

  • Detection of CryptoLocker Variants 4 IoCs
  • Detection of Cryptolocker Samples 4 IoCs
  • UPX dump on OEP (original entry point) 4 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-05-14_80939618aee2469ac2b334ed4c85a2ba_cryptolocker.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-05-14_80939618aee2469ac2b334ed4c85a2ba_cryptolocker.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1524
    • C:\Users\Admin\AppData\Local\Temp\asih.exe
      "C:\Users\Admin\AppData\Local\Temp\asih.exe"
      2⤵
      • Executes dropped EXE
      PID:2516

Network

  • flag-us
    DNS
    emrlogistics.com
    asih.exe
    Remote address:
    8.8.8.8:53
    Request
    emrlogistics.com
    IN A
    Response
    emrlogistics.com
    IN CNAME
    traff-6.hugedomains.com
    traff-6.hugedomains.com
    IN CNAME
    hdr-nlb10-d66bbad0736f8259.elb.us-east-2.amazonaws.com
    hdr-nlb10-d66bbad0736f8259.elb.us-east-2.amazonaws.com
    IN A
    18.119.154.66
    hdr-nlb10-d66bbad0736f8259.elb.us-east-2.amazonaws.com
    IN A
    3.140.13.188
  • 18.119.154.66:443
    emrlogistics.com
    asih.exe
    152 B
     3
  • 3.140.13.188:443
    emrlogistics.com
    asih.exe
    152 B
     3
  • 18.119.154.66:443
    emrlogistics.com
    asih.exe
    152 B
     3
  • 3.140.13.188:443
    emrlogistics.com
    asih.exe
    152 B
     3
  • 18.119.154.66:443
    emrlogistics.com
    asih.exe
    152 B
     3
  • 3.140.13.188:443
    emrlogistics.com
    asih.exe
    152 B
     3
  • 18.119.154.66:443
    emrlogistics.com
    asih.exe
    152 B
     3
  • 3.140.13.188:443
    emrlogistics.com
    asih.exe
    52 B
     1
  • 8.8.8.8:53
    emrlogistics.com
    dns
    asih.exe
    62 B
     193 B
     1
    1

    DNS Request

    emrlogistics.com

    DNS Response

    18.119.154.66
    3.140.13.188

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\asih.exe
    Filesize

    66KB

    MD5

    45c68298c23b71fcefe670ffd49724c7

    SHA1

    a5267e2f37a53bca4e18482eb7aaca22db6a3d67

    SHA256

    42c232bf36143cc79db8670bfdcb7b486c42f1a587c56046bac93e7e69f6400b

    SHA512

    8d20026fbdf2614714577c37ddf1152403cd3c253d34e81e9b1a85102044317ab96db5b129e21fbb4041b0a2a1d352c4ad94225d76d0de1d5c939a485f389330

    Download Submit

  • memory/1524-0-0x0000000000500000-0x000000000050F311-memory.dmp

    Filesize

    60KB

    Download

  • memory/1524-1-0x00000000002C0000-0x00000000002C6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1524-2-0x0000000000370000-0x0000000000376000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1524-9-0x00000000002C0000-0x00000000002C6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1524-15-0x0000000000500000-0x000000000050F311-memory.dmp

    Filesize

    60KB

    Download

  • memory/2516-18-0x0000000000270000-0x0000000000276000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2516-17-0x0000000000240000-0x0000000000246000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2516-25-0x0000000000500000-0x000000000050F311-memory.dmp

    Filesize

    60KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.