c52987bb58a62755a4097b5e9adc6a75cb1262a5d961b4e729d2cea78486ac22

Analysis

max time kernel
20s
max time network
151s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
09/01/2024, 06:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-08_afa7eb6263eef64f0c52658895fa0b02_cryptolocker.exe
Size

34KB
MD5

afa7eb6263eef64f0c52658895fa0b02
SHA1

ce440058b33e0988742d136b6635a2ec2a2ed705
SHA256

c52987bb58a62755a4097b5e9adc6a75cb1262a5d961b4e729d2cea78486ac22
SHA512

9601f0a0825441c659175e8ecbc04d05f9606e82fc0c3a786f320e63e8024b615ddc2c3c91799d3ae0502acf26aac2f364d327f0f22a1c58e173634f4c07bdf0
SSDEEP

384:btBYQg/WIEhUCSNyepEjYnDOAlzVol6U/zzo+tkq4XDIwNiA0J5z:btB9g/WItCSsAGjX7e9NQt

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2632	gewos.exe

Loads dropped DLL 1 IoCs

pid	Process
2124	2024-01-08_afa7eb6263eef64f0c52658895fa0b02_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2124	2024-01-08_afa7eb6263eef64f0c52658895fa0b02_cryptolocker.exe
2632	gewos.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 2632	2124	2024-01-08_afa7eb6263eef64f0c52658895fa0b02_cryptolocker.exe	21
PID 2124 wrote to memory of 2632	2124	2024-01-08_afa7eb6263eef64f0c52658895fa0b02_cryptolocker.exe	21
PID 2124 wrote to memory of 2632	2124	2024-01-08_afa7eb6263eef64f0c52658895fa0b02_cryptolocker.exe	21
PID 2124 wrote to memory of 2632	2124	2024-01-08_afa7eb6263eef64f0c52658895fa0b02_cryptolocker.exe	21

C:\Users\Admin\AppData\Local\Temp\2024-01-08_afa7eb6263eef64f0c52658895fa0b02_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-08_afa7eb6263eef64f0c52658895fa0b02_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Users\Admin\AppData\Local\Temp\gewos.exe
  "C:\Users\Admin\AppData\Local\Temp\gewos.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gewos.exe

Filesize
11KB

MD5
ba1132ccdf5fb7e6ee0e8dd16729a635

SHA1
572238cd6b7a07692a5c3c7be6d776c312c269e8

SHA256
76661a9577f764a9ba650e665616d2100a5be0f70598b91e8278233fbe80a292

SHA512
7a4097bae33b23473cfa8fc56c3ebb13b5d3eb178a139e83e040484c464259f1764e2d46e49c2981e3af693390601248e65c7680b9a53f92852c37e868a92c80

Download Submit
C:\Users\Admin\AppData\Local\Temp\gewos.exe

Filesize
34KB

MD5
5cd092b65f8577739061afd71c17a2c7

SHA1
8abf07a3f54a26418275e8aa897a65f069ee6227

SHA256
91e28850757a152ec019a87c605504958277b2437d631b33beb13f3715262577

SHA512
6e4d618e442ca93d453c10abffdf6418f49ab6269bc0aa8e3bcee2b08c59c4c2c31a8b6cc96aa61f12c95e5364966f1f8ffd88d7a4d67282ea53faa7c6101c6e

Download Submit
\Users\Admin\AppData\Local\Temp\gewos.exe

Filesize
7KB

MD5
c5278965b29147ceeaa3ca134f5e9aa9

SHA1
5ae2917b24371ff39afc3e601a6bf38f11cad2b2

SHA256
6d1288dcbadf2f7a3c9af4b320bce0f89f92c99f856593604d608f1668caa426

SHA512
d8f09b5a3151a13bd3231a2e515b1f6869175d459a5bd938f5f30017bc6458b26e330196251c2d48789337e636855f0e051b6151b9eb374ec1c1e5033facc8fc

Download Submit
memory/2124-0-0x0000000000320000-0x0000000000326000-memory.dmp

Filesize
24KB

Download
memory/2124-3-0x0000000000320000-0x0000000000326000-memory.dmp

Filesize
24KB

Download
memory/2124-1-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2632-17-0x00000000002E0000-0x00000000002E6000-memory.dmp

Filesize
24KB

Download