Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

2024-05-27...er.exe

windows7-x64

9

2024-05-27...er.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    27/05/2024, 04:23 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-05-27_052663c3d31dcc199baa233a47993b07_cryptolocker.exe

  • Size

    57KB

  • MD5

    052663c3d31dcc199baa233a47993b07

  • SHA1

    7f58c64d0473f322de37fe32e48cab3a2bad1430

  • SHA256

    9bd7b28fa13b0f238133fb3a6c9065fd61acbe806e11976971f7ac2c92876b10

  • SHA512

    9787ad61bf09343dd03bb7eef3412125c0c8402ddcd58302ecb86f5d5f4762a281413000f057e2185c865d63637a0af4f1449a3a7814481c69398a7f9ffdc666

  • SSDEEP

    768:bP9g/WItCSsAfFaeOcfXVr3BPOz5CFBmNuFgUjlgzCW:bP9g/xtCS3Dxx0nCW

Score
9/10
upx

Malware Config

Signatures

  • Detection of CryptoLocker Variants 3 IoCs
  • UPX dump on OEP (original entry point) 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-05-27_052663c3d31dcc199baa233a47993b07_cryptolocker.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-05-27_052663c3d31dcc199baa233a47993b07_cryptolocker.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:1276
    • C:\Users\Admin\AppData\Local\Temp\gewos.exe
      "C:\Users\Admin\AppData\Local\Temp\gewos.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of UnmapMainImage
      PID:2068

Network

  • flag-us
    DNS
    nasap.net
    gewos.exe
    Remote address:
    8.8.8.8:53
    Request
    nasap.net
    IN A
    Response
    nasap.net
    IN A
    35.212.119.5
  • flag-us
    GET
    https://nasap.net/config/8mo.exe
    gewos.exe
    Remote address:
    35.212.119.5:443
    Request
    GET /config/8mo.exe HTTP/1.1
    Accept: text/*, application/*
    User-Agent: Updates downloader
    Host: nasap.net
    Cache-Control: no-cache
    Response
    HTTP/1.1 202 Accepted
    Server: nginx
    Date: Mon, 27 May 2024 04:23:44 GMT
    Content-Type: text/html
    Content-Length: 185
    Connection: keep-alive
    SG-Captcha: challenge
    X-Robots-Tag: noindex
    Set-Cookie: nevercache-b39818=Y;Max-Age=-1
    Expires: Thu, 01 Jan 1970 00:00:01 GMT
    Cache-Control: no-store,no-cache,max-age=0
    Host-Header: 8441280b0c35cbc1147f8ba998a563a7
    X-Proxy-Cache-Info: DT:1
  • 35.212.119.5:443
    https://nasap.net/config/8mo.exe
    tls, http
    gewos.exe
    957 B
     5.8kB
     9
    9

    HTTP Request

    GET https://nasap.net/config/8mo.exe

    HTTP Response

    202
  • 8.8.8.8:53
    nasap.net
    dns
    gewos.exe
    55 B
     71 B
     1
    1

    DNS Request

    nasap.net

    DNS Response

    35.212.119.5

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\gewos.exe
    Filesize

    57KB

    MD5

    994fa4f3e09d47f9771cc8d2ae73a17a

    SHA1

    330cbba580303f35aa63016f660789efd0b81b99

    SHA256

    4780ce5b68146c7721696b1c77c0be7443ddad585e3b0c5824258a020bfafcef

    SHA512

    08cf4a8a7b1e3772803661ea30e67d6ce53fee806c2fbaa71f9ad39d85256cb88f64d1e15d7b3a560249f3f1c46acc59235d68375f692eee978851f7b90b242e

    Download Submit

  • memory/1276-0-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1276-1-0x0000000000390000-0x0000000000396000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1276-2-0x0000000000400000-0x0000000000406000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1276-9-0x0000000000390000-0x0000000000396000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2068-16-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2068-25-0x0000000000300000-0x0000000000306000-memory.dmp

    Filesize

    24KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.