Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

2024-09-05...er.exe

windows7-x64

7

2024-09-05...er.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    05/09/2024, 12:15 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-09-05_c4c49c0f051730a451e417efdb82d397_cryptolocker.exe

  • Size

    49KB

  • MD5

    c4c49c0f051730a451e417efdb82d397

  • SHA1

    3e7b0a0f77ee06625a78eb10052fa4bfb3a9ec59

  • SHA256

    b5f54d1bf8406fca2a2a8e70182f31ea0c2183eaeb92c7c2968ed2f8ec828fc0

  • SHA512

    af4629b59194df9fb292f3edd6610bc1e5d3ab505aa94e430e79df066441cdf37a8f8ad81962ff6791e37c6744f02a88ce35a7273259b5a9d7c375ccf4d6fd8b

  • SSDEEP

    768:26LsoVEeegiZPvEhHSP+gDdQtOOtEvwDpjtMLZdzuqpXsiE8Wq/DpkITe:26Q0ElP6G+gBQMOtEvwDpjgWMl7Te

Score
7/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-05_c4c49c0f051730a451e417efdb82d397_cryptolocker.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-05_c4c49c0f051730a451e417efdb82d397_cryptolocker.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1948
    • C:\Users\Admin\AppData\Local\Temp\asih.exe
      "C:\Users\Admin\AppData\Local\Temp\asih.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1760

Network

  • flag-us
    DNS
    emrlogistics.com
    asih.exe
    Remote address:
    8.8.8.8:53
    Request
    emrlogistics.com
    IN A
    Response
    emrlogistics.com
    IN CNAME
    traff-5.hugedomains.com
    traff-5.hugedomains.com
    IN CNAME
    hdr-nlb7-aebd5d615260636b.elb.us-east-1.amazonaws.com
    hdr-nlb7-aebd5d615260636b.elb.us-east-1.amazonaws.com
    IN A
    34.205.242.146
    hdr-nlb7-aebd5d615260636b.elb.us-east-1.amazonaws.com
    IN A
    54.161.222.85
  • 34.205.242.146:443
    emrlogistics.com
    asih.exe
    152 B
     3
  • 54.161.222.85:443
    emrlogistics.com
    asih.exe
    152 B
     3
  • 34.205.242.146:443
    emrlogistics.com
    asih.exe
    152 B
     3
  • 54.161.222.85:443
    emrlogistics.com
    asih.exe
    152 B
     3
  • 34.205.242.146:443
    emrlogistics.com
    asih.exe
    152 B
     3
  • 54.161.222.85:443
    emrlogistics.com
    asih.exe
    152 B
     3
  • 34.205.242.146:443
    emrlogistics.com
    asih.exe
    152 B
     3
  • 54.161.222.85:443
    emrlogistics.com
    asih.exe
    52 B
     1
  • 8.8.8.8:53
    emrlogistics.com
    dns
    asih.exe
    62 B
     192 B
     1
    1

    DNS Request

    emrlogistics.com

    DNS Response

    34.205.242.146
    54.161.222.85

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\asih.exe
    Filesize

    49KB

    MD5

    f2fb9b3e508bcefe538c530e65793e94

    SHA1

    b070027bed39bae0b657ac69fcb2d647a861f350

    SHA256

    0bc0e9366fd2b90f711ed5242c2943e5dc1f97e48ee28f8fe72121293f522cd9

    SHA512

    d6ee94a179bfaf625e88189c7a7937383c25a365fa994af18550d0565a87f1fc4006080041f55cbb26029e86b48a330ea9ad85992483a568452d63e130bc7490

    Download Submit

  • memory/1760-18-0x00000000001D0000-0x00000000001D6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1760-19-0x0000000000290000-0x0000000000296000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1760-26-0x0000000000500000-0x000000000050B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/1948-0-0x0000000000500000-0x000000000050B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/1948-1-0x0000000000240000-0x0000000000246000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1948-3-0x00000000002C0000-0x00000000002C6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1948-2-0x0000000000240000-0x0000000000246000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1948-13-0x00000000004E0000-0x00000000004EB000-memory.dmp

    Filesize

    44KB

    Download

  • memory/1948-16-0x0000000000500000-0x000000000050B000-memory.dmp

    Filesize

    44KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.