Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

2024-06-03...er.exe

windows7-x64

9

2024-06-03...er.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    147s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    03/06/2024, 04:26 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-06-03_52373466b7674e49e7b8cfafc00bae34_cryptolocker.exe

  • Size

    37KB

  • MD5

    52373466b7674e49e7b8cfafc00bae34

  • SHA1

    42946ad853b08372538eaed7bca7c7d6435440a4

  • SHA256

    711c05bc6ec2b9cef23593d72207307b5edb63ab71351d0063ece0635a2aceba

  • SHA512

    2c78c5a34a77493451fda92880c845bbf0fffc03df1289c1d078057d961165fffc598c08307f1bb63a71e6e722bba4ce0d6481665d5cadbfac17df5bf6490a6b

  • SSDEEP

    768:qUmnjFom/kLyMro2GtOOtEvwDpjeMLam5axK3VKLz:qUmnpomddpMOtEvwDpjjaYaQQz

Score
9/10
upx

Malware Config

Signatures

  • Detection of CryptoLocker Variants 4 IoCs
  • Detection of Cryptolocker Samples 4 IoCs
  • UPX dump on OEP (original entry point) 4 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-03_52373466b7674e49e7b8cfafc00bae34_cryptolocker.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-03_52373466b7674e49e7b8cfafc00bae34_cryptolocker.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1716
    • C:\Users\Admin\AppData\Local\Temp\asih.exe
      "C:\Users\Admin\AppData\Local\Temp\asih.exe"
      2⤵
      • Executes dropped EXE
      PID:3060

Network

  • flag-us
    DNS
    emrlogistics.com
    asih.exe
    Remote address:
    8.8.8.8:53
    Request
    emrlogistics.com
    IN A
    Response
    emrlogistics.com
    IN CNAME
    traff-2.hugedomains.com
    traff-2.hugedomains.com
    IN CNAME
    hdr-nlb5-4e815dd67a14bf7f.elb.us-east-2.amazonaws.com
    hdr-nlb5-4e815dd67a14bf7f.elb.us-east-2.amazonaws.com
    IN A
    3.130.204.160
    hdr-nlb5-4e815dd67a14bf7f.elb.us-east-2.amazonaws.com
    IN A
    3.130.253.23
  • 3.130.204.160:443
    emrlogistics.com
    asih.exe
    152 B
     3
  • 3.130.253.23:443
    emrlogistics.com
    asih.exe
    152 B
     3
  • 3.130.204.160:443
    emrlogistics.com
    asih.exe
    152 B
     3
  • 3.130.253.23:443
    emrlogistics.com
    asih.exe
    152 B
     3
  • 3.130.204.160:443
    emrlogistics.com
    asih.exe
    152 B
     3
  • 3.130.253.23:443
    emrlogistics.com
    asih.exe
    152 B
     3
  • 3.130.204.160:443
    emrlogistics.com
    asih.exe
    152 B
     3
  • 3.130.253.23:443
    emrlogistics.com
    asih.exe
    52 B
     1
  • 8.8.8.8:53
    emrlogistics.com
    dns
    asih.exe
    62 B
     192 B
     1
    1

    DNS Request

    emrlogistics.com

    DNS Response

    3.130.204.160
    3.130.253.23

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\asih.exe
    Filesize

    37KB

    MD5

    38ddb2b13f992dcf89181735e0c4f3a5

    SHA1

    902840570b4f2c0b5d36cd77e9be44323329984c

    SHA256

    c0d9e0dc8ab794c3413129c9fc90058918a103c36e3a4d09d539c0c9f91cfc6b

    SHA512

    a870d58c22b7843b7050c00586ba567523ebab52a588925425fe3cf76dc48d6fd648c1c5388304e38a3e2e3fec199efa1519598e4a75e16fd6621313523e0a1e

    Download Submit

  • memory/1716-8-0x0000000000500000-0x000000000050F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/1716-9-0x0000000000240000-0x0000000000246000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1716-1-0x00000000003A0000-0x00000000003A6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1716-0-0x0000000000240000-0x0000000000246000-memory.dmp

    Filesize

    24KB

    Download

  • memory/3060-16-0x0000000000500000-0x000000000050F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/3060-18-0x0000000000530000-0x0000000000536000-memory.dmp

    Filesize

    24KB

    Download

  • memory/3060-25-0x00000000002D0000-0x00000000002D6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/3060-26-0x0000000000500000-0x000000000050F000-memory.dmp

    Filesize

    60KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.