c4cb2caecc97a4000dfd72ac2c5b025c4eac29253506453b0cf975a9a8bd0ab8

Analysis

max time kernel
118s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
09-01-2024 06:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-08_c9fe0b992c8a941c8204593b514fda46_cryptolocker.exe
Size

34KB
MD5

c9fe0b992c8a941c8204593b514fda46
SHA1

9ef8dbf1a86c8bdab461c19afea3e8d8cf26680d
SHA256

c4cb2caecc97a4000dfd72ac2c5b025c4eac29253506453b0cf975a9a8bd0ab8
SHA512

5859cbff279bca436f55a411835e57c2eb3ca7c147f3f942c79a0d21a4135c3c95a3ccf9ea2ea5ecf5ea37611e3a985389b8346f006cb2c39931ff55070937b5
SSDEEP

384:btBYQg/WIEhUCSNyepEjYnDOAlzVol6U/zzo+tkq4XDIwNiA0J5T:btB9g/WItCSsAGjX7e9NQd

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2396	gewos.exe

Loads dropped DLL 1 IoCs

pid	Process
2900	2024-01-08_c9fe0b992c8a941c8204593b514fda46_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2900	2024-01-08_c9fe0b992c8a941c8204593b514fda46_cryptolocker.exe
2396	gewos.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2900 wrote to memory of 2396	2900	2024-01-08_c9fe0b992c8a941c8204593b514fda46_cryptolocker.exe	17
PID 2900 wrote to memory of 2396	2900	2024-01-08_c9fe0b992c8a941c8204593b514fda46_cryptolocker.exe	17
PID 2900 wrote to memory of 2396	2900	2024-01-08_c9fe0b992c8a941c8204593b514fda46_cryptolocker.exe	17
PID 2900 wrote to memory of 2396	2900	2024-01-08_c9fe0b992c8a941c8204593b514fda46_cryptolocker.exe	17

C:\Users\Admin\AppData\Local\Temp\2024-01-08_c9fe0b992c8a941c8204593b514fda46_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-08_c9fe0b992c8a941c8204593b514fda46_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2900
- C:\Users\Admin\AppData\Local\Temp\gewos.exe
  "C:\Users\Admin\AppData\Local\Temp\gewos.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gewos.exe

Filesize
5KB

MD5
7762aa38637e4b094355f07b5e6805a3

SHA1
24731500adbc1a6a29c672b9717c3b6a8e714bb4

SHA256
521b84ccadd6e6479dda700a34f1bf546e7a79684dcd8c9b5e14ed5cc4069f24

SHA512
5906f278dbc93f94f34a6b180761638200012bc91e8cb111d6434f499612ea8f0fa94f301d1ef88a2c01e49f589154a1ffb86b589cdf49e11127821b50da87d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\gewos.exe

Filesize
14KB

MD5
a23cfbf1c50758451c3cbf68e225a65d

SHA1
361cd211eb027814377b8762ab58da4db8037357

SHA256
e67a32a563775603d5129072fc351846c1f4ba7592459f8a7fae67f3850dd70d

SHA512
9d19e9370e2f11bd6a6e2d3b2fee8ed2468aa2cdc1cdc23303bde95a390df2ba5913c4f37e9362322f791b4aebb2a78c1d9ccc77fcf0845088d5fd2e81cf2ba3

Download Submit
\Users\Admin\AppData\Local\Temp\gewos.exe

Filesize
34KB

MD5
1d6ec1c4a366fad5a8cf8502870698d5

SHA1
354b40fb63660bf8bd9b3dd61309423cee4cdcd2

SHA256
415f1e4ce6a749fe5c12e4ae295f1c0bf20bcbbf7f203f569a74983aa7ec9899

SHA512
a379ebfe0b9ab07bf8c7ac3071c43b1a357588deb90897b9936d2b8334c2b947c6aecc945dcea8c85a9e1c87588ee038f6e33b6754e2f84341fd31654d43875a

Download Submit
memory/2396-23-0x0000000000360000-0x0000000000366000-memory.dmp

Filesize
24KB

Download
memory/2900-0-0x0000000000330000-0x0000000000336000-memory.dmp

Filesize
24KB

Download
memory/2900-2-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2900-1-0x0000000000330000-0x0000000000336000-memory.dmp

Filesize
24KB

Download