Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

7

2024-09-07...er.exe

windows7-x64

7

2024-09-07...er.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    92s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/09/2024, 01:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-09-07_c89e9f393d8ae8daddedf05fda291451_cryptolocker.exe

  • Size

    59KB

  • MD5

    c89e9f393d8ae8daddedf05fda291451

  • SHA1

    1b4e23734d1a51045611e9dc9bc5928f1e9437a4

  • SHA256

    afbdfcf277b0d12d1d20c216cbe9a3d534f426f7f3cdbc2419454f75238f484f

  • SHA512

    65762ca76d9aed0252b8170e1837442d0bccfb6f5d57f74bfe1fd65dc0858fb89ed57a79141aa4f8954bf4588ba76e9075bf22f0eb3f69caa1b0c6b7d86b6237

  • SSDEEP

    768:bP9g/WItCSsAfFaeOcfXVr3BPOz5CFBmNuFgUjlgcSn:bP9g/xtCS3Dxx0L

Score
7/10
discoveryupx

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-07_c89e9f393d8ae8daddedf05fda291451_cryptolocker.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-07_c89e9f393d8ae8daddedf05fda291451_cryptolocker.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4564
    • C:\Users\Admin\AppData\Local\Temp\gewos.exe
      "C:\Users\Admin\AppData\Local\Temp\gewos.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:4156

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\gewos.exe
    Filesize

    59KB

    MD5

    6c193883e05ceb1e37a2465795397a99

    SHA1

    fca0d0712e7591fdf586c8192c36a54432777b2b

    SHA256

    d531ae1eeeb3db9f9f1ce5d23fbe9f906aba1b7f3f505c7187aad3999f2372e8

    SHA512

    983bc8451c971fba4ab0a5f095bd1902be0e9cc03bf36a48b276b26e52baf34b654ee46436555055ef773accb7fdcdad6467c98a68d430e4ba404117862b93d0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\gewosik.exe
    Filesize

    184B

    MD5

    a10423c789ac4a600d9c336a4f72b65d

    SHA1

    f0425ce006b65b3675cc5922b9d2644b6a4b5ac1

    SHA256

    49cf9598d7926b0f0cb35bb09bca2ce0075eda78e801c8e41ebf32ec03c438ef

    SHA512

    727686c8fbac70106e9cc449f9d94b9d1e80e676c6457f6f3ce0cf7e82deb95b15902f87181593f332efc8138daa618f02eafae549ef7b9626c008da0773fc5e

    Download Submit

  • memory/4156-20-0x00000000005F0000-0x00000000005F6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/4564-0-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/4564-1-0x0000000002E90000-0x0000000002E96000-memory.dmp

    Filesize

    24KB

    Download

  • memory/4564-2-0x0000000002E90000-0x0000000002E96000-memory.dmp

    Filesize

    24KB

    Download

  • memory/4564-3-0x0000000000400000-0x0000000000406000-memory.dmp

    Filesize

    24KB

    Download