c6644fbf582a9af0c943e16d625cd06236512412fb2ce2072d1ef9189bf91986

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
17/07/2023, 14:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8d4dbff21197e1_JC.exe
Size

32KB
MD5

8d4dbff21197e1046235f58ce798d8b8
SHA1

8fcad44801d6b90efb02c882631620353f6f5748
SHA256

c6644fbf582a9af0c943e16d625cd06236512412fb2ce2072d1ef9189bf91986
SHA512

e086096fe3237cf27791a8c36ca5b3c189c5c627069c95a39474d686768b1105c89b4cbfb24382171ecba49386f64f075726d513c1a3b3df2d170bb5a8b1c75c
SSDEEP

384:btBYQg/WIEhUCSNyepEjYnDOAlzVol6U/zzo+tkq4l8tFFxE2ahU6oxh:btB9g/WItCSsAGjX7r3ac

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Control Panel\International\Geo\Nation	8d4dbff21197e1_JC.exe

Executes dropped EXE 1 IoCs

pid	Process
1524	gewos.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1608 wrote to memory of 1524	1608	8d4dbff21197e1_JC.exe	87
PID 1608 wrote to memory of 1524	1608	8d4dbff21197e1_JC.exe	87
PID 1608 wrote to memory of 1524	1608	8d4dbff21197e1_JC.exe	87

C:\Users\Admin\AppData\Local\Temp\8d4dbff21197e1_JC.exe
"C:\Users\Admin\AppData\Local\Temp\8d4dbff21197e1_JC.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1608
- C:\Users\Admin\AppData\Local\Temp\gewos.exe
  "C:\Users\Admin\AppData\Local\Temp\gewos.exe"
  2⤵
  - Executes dropped EXE
  PID:1524

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gewos.exe

Filesize
32KB

MD5
9d52b6cef5898d1450b01e069647769c

SHA1
792a8dc9044450527c51352b0599d0a912c7852c

SHA256
e9fca449daedb77b73d31f4b8be9e775c5cfcaa2abbd1da8885a46c980f72467

SHA512
ac1b77324a90542fb92923328710c56518c1e9eb35b81f788470809f1b7c8827cffaac65d9c5fb6d5ff1ab06bc4aff69ef6e4af417ba9ede288618a43280eeb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\gewos.exe

Filesize
32KB

MD5
9d52b6cef5898d1450b01e069647769c

SHA1
792a8dc9044450527c51352b0599d0a912c7852c

SHA256
e9fca449daedb77b73d31f4b8be9e775c5cfcaa2abbd1da8885a46c980f72467

SHA512
ac1b77324a90542fb92923328710c56518c1e9eb35b81f788470809f1b7c8827cffaac65d9c5fb6d5ff1ab06bc4aff69ef6e4af417ba9ede288618a43280eeb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\gewos.exe

Filesize
32KB

MD5
9d52b6cef5898d1450b01e069647769c

SHA1
792a8dc9044450527c51352b0599d0a912c7852c

SHA256
e9fca449daedb77b73d31f4b8be9e775c5cfcaa2abbd1da8885a46c980f72467

SHA512
ac1b77324a90542fb92923328710c56518c1e9eb35b81f788470809f1b7c8827cffaac65d9c5fb6d5ff1ab06bc4aff69ef6e4af417ba9ede288618a43280eeb6

Download Submit
memory/1524-153-0x00000000005E0000-0x00000000005E6000-memory.dmp

Filesize
24KB

Download
memory/1608-133-0x0000000002EA0000-0x0000000002EA6000-memory.dmp

Filesize
24KB

Download
memory/1608-134-0x0000000002EA0000-0x0000000002EA6000-memory.dmp

Filesize
24KB

Download
memory/1608-135-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download