Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

5

2024-10-10...er.exe

windows7-x64

7

2024-10-10...er.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/10/2024, 08:27 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-10-10_4227d7fd4ea4c89fa20010c0aba8e3ef_cryptolocker.exe

  • Size

    38KB

  • MD5

    4227d7fd4ea4c89fa20010c0aba8e3ef

  • SHA1

    3781556565e1b0b66c3b2c8cb760f28bffc925bc

  • SHA256

    a6ebcd5adf5a393ddb0b2eaa4607c37d4e1ac0693e6717dfebdb48805134a79d

  • SHA512

    52477e36b663679b0cf140ab3c8648075ea46869a834b8e841a2a8d155648c1dea3b665465506d118102d6be2355e260ca7d040babffadbae27dce7b3c643ce8

  • SSDEEP

    768:qUmnjFom/kLyMro2GtOOtEvwDpjeMLam5axK3hn:qUmnpomddpMOtEvwDpjjaYaQhn

Score
7/10
discoveryupx

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-10_4227d7fd4ea4c89fa20010c0aba8e3ef_cryptolocker.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-10_4227d7fd4ea4c89fa20010c0aba8e3ef_cryptolocker.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4788
    • C:\Users\Admin\AppData\Local\Temp\asih.exe
      "C:\Users\Admin\AppData\Local\Temp\asih.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1792

Network

  • flag-us
    DNS
    emrlogistics.com
    asih.exe
    Remote address:
    8.8.8.8:53
    Request
    emrlogistics.com
    IN A
    Response
    emrlogistics.com
    IN CNAME
    traff-3.hugedomains.com
    traff-3.hugedomains.com
    IN CNAME
    hdr-nlb4-0bbd2e21834cb637.elb.us-east-2.amazonaws.com
    hdr-nlb4-0bbd2e21834cb637.elb.us-east-2.amazonaws.com
    IN A
    3.18.7.81
    hdr-nlb4-0bbd2e21834cb637.elb.us-east-2.amazonaws.com
    IN A
    3.19.116.195
  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
    Response
    g.bing.com
    IN CNAME
    g-bing-com.ax-0001.ax-msedge.net
    g-bing-com.ax-0001.ax-msedge.net
    IN CNAME
    ax-0001.ax-dc-msedge.net
    ax-0001.ax-dc-msedge.net
    IN A
    150.171.29.10
    ax-0001.ax-dc-msedge.net
    IN A
    150.171.30.10
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=9d99560b9db4403bbe13c5f66a6ce15a&localId=w:66B95077-CF2F-5A7E-6FF7-2AB84BE1688C&deviceId=6896208602593836&anid=
    Remote address:
    150.171.29.10:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=9d99560b9db4403bbe13c5f66a6ce15a&localId=w:66B95077-CF2F-5A7E-6FF7-2AB84BE1688C&deviceId=6896208602593836&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MUID=2D1887B8D1F765343F0B92ACD0F1640F; domain=.bing.com; expires=Tue, 04-Nov-2025 08:27:35 GMT; path=/; SameSite=None; Secure; Priority=High;
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 1CA73216CB1A4E499B1CFCDCB164E713 Ref B: LON212050701039 Ref C: 2024-10-10T08:27:35Z
    date: Thu, 10 Oct 2024 08:27:34 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=9d99560b9db4403bbe13c5f66a6ce15a&localId=w:66B95077-CF2F-5A7E-6FF7-2AB84BE1688C&deviceId=6896208602593836&anid=
    Remote address:
    150.171.29.10:443
    Request
    GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=9d99560b9db4403bbe13c5f66a6ce15a&localId=w:66B95077-CF2F-5A7E-6FF7-2AB84BE1688C&deviceId=6896208602593836&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=2D1887B8D1F765343F0B92ACD0F1640F
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MSPTC=v9DV3OYy3Ti6fb1dzyaQv2SpVYUSNytVBZSy2gKUXpE; domain=.bing.com; expires=Tue, 04-Nov-2025 08:27:35 GMT; path=/; Partitioned; secure; SameSite=None
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 18227B480BFA4023B988BB25ABD18B7D Ref B: LON212050701039 Ref C: 2024-10-10T08:27:35Z
    date: Thu, 10 Oct 2024 08:27:34 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=9d99560b9db4403bbe13c5f66a6ce15a&localId=w:66B95077-CF2F-5A7E-6FF7-2AB84BE1688C&deviceId=6896208602593836&anid=
    Remote address:
    150.171.29.10:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=9d99560b9db4403bbe13c5f66a6ce15a&localId=w:66B95077-CF2F-5A7E-6FF7-2AB84BE1688C&deviceId=6896208602593836&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=2D1887B8D1F765343F0B92ACD0F1640F; MSPTC=v9DV3OYy3Ti6fb1dzyaQv2SpVYUSNytVBZSy2gKUXpE
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 56421714B9A94D42AAB5307F553F1B7A Ref B: LON212050701039 Ref C: 2024-10-10T08:27:35Z
    date: Thu, 10 Oct 2024 08:27:34 GMT
  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    23.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    23.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    10.29.171.150.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    10.29.171.150.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    55.36.223.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    55.36.223.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    53.210.109.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    53.210.109.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    15.164.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    15.164.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    98.117.19.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    98.117.19.2.in-addr.arpa
    IN PTR
    Response
    98.117.19.2.in-addr.arpa
    IN PTR
    a2-19-117-98deploystaticakamaitechnologiescom
  • flag-us
    DNS
    19.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    19.229.111.52.in-addr.arpa
    IN PTR
    Response
  • 3.18.7.81:443
    emrlogistics.com
    asih.exe
    260 B
     5
  • 150.171.29.10:443
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=9d99560b9db4403bbe13c5f66a6ce15a&localId=w:66B95077-CF2F-5A7E-6FF7-2AB84BE1688C&deviceId=6896208602593836&anid=
    tls, http2
    2.0kB
     9.4kB
     21
    19

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=9d99560b9db4403bbe13c5f66a6ce15a&localId=w:66B95077-CF2F-5A7E-6FF7-2AB84BE1688C&deviceId=6896208602593836&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=9d99560b9db4403bbe13c5f66a6ce15a&localId=w:66B95077-CF2F-5A7E-6FF7-2AB84BE1688C&deviceId=6896208602593836&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=9d99560b9db4403bbe13c5f66a6ce15a&localId=w:66B95077-CF2F-5A7E-6FF7-2AB84BE1688C&deviceId=6896208602593836&anid=

    HTTP Response

    204
  • 3.19.116.195:443
    emrlogistics.com
    asih.exe
    260 B
     5
  • 3.18.7.81:443
    emrlogistics.com
    asih.exe
    260 B
     5
  • 3.19.116.195:443
    emrlogistics.com
    asih.exe
    260 B
     5
  • 3.18.7.81:443
    emrlogistics.com
    asih.exe
    260 B
     5
  • 3.19.116.195:443
    emrlogistics.com
    asih.exe
    260 B
     5
  • 3.18.7.81:443
    emrlogistics.com
    asih.exe
    260 B
     5
  • 3.19.116.195:443
    emrlogistics.com
    asih.exe
    104 B
     2
  • 8.8.8.8:53
    emrlogistics.com
    dns
    asih.exe
    62 B
     192 B
     1
    1

    DNS Request

    emrlogistics.com

    DNS Response

    3.18.7.81
    3.19.116.195

  • 8.8.8.8:53
    g.bing.com
    dns
    56 B
     169 B
     1
    1

    DNS Request

    g.bing.com

    DNS Response

    150.171.29.10
    150.171.30.10

  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
     90 B
     1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    23.159.190.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    23.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

  • 8.8.8.8:53
    10.29.171.150.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    10.29.171.150.in-addr.arpa

  • 8.8.8.8:53
    55.36.223.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    55.36.223.20.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    53.210.109.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    53.210.109.20.in-addr.arpa

  • 8.8.8.8:53
    15.164.165.52.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    15.164.165.52.in-addr.arpa

  • 8.8.8.8:53
    98.117.19.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    98.117.19.2.in-addr.arpa

  • 8.8.8.8:53
    19.229.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    19.229.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\asih.exe
    Filesize

    39KB

    MD5

    4653d2332cca0736e6d3250b3dcd2e84

    SHA1

    1d5a2add0297e0ad30f272abcd098f9706ddd7f2

    SHA256

    d670eff55423494c7c9dbcce4707206fb010757e954012c2016c19b67b534f2f

    SHA512

    c8799f9f3acc8ef0663b8051b20d4f9025fe7e32447291ce2628907d5c92a0388cef3447f1865d9d6b8bbc42a2b86de76bddfccb7ad3454e6165ebc9207454c7

    Download Submit

  • memory/1792-19-0x0000000000740000-0x0000000000746000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1792-20-0x0000000000760000-0x0000000000766000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1792-26-0x0000000000500000-0x000000000050F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/4788-0-0x0000000000500000-0x000000000050F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/4788-1-0x0000000002210000-0x0000000002216000-memory.dmp

    Filesize

    24KB

    Download

  • memory/4788-2-0x0000000002210000-0x0000000002216000-memory.dmp

    Filesize

    24KB

    Download

  • memory/4788-3-0x0000000002230000-0x0000000002236000-memory.dmp

    Filesize

    24KB

    Download

  • memory/4788-17-0x0000000000500000-0x000000000050F000-memory.dmp

    Filesize

    60KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.