c4cb2caecc97a4000dfd72ac2c5b025c4eac29253506453b0cf975a9a8bd0ab8

Analysis

max time kernel
159s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
09/01/2024, 06:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-01-08_c9fe0b992c8a941c8204593b514fda46_cryptolocker.exe
Size

34KB
MD5

c9fe0b992c8a941c8204593b514fda46
SHA1

9ef8dbf1a86c8bdab461c19afea3e8d8cf26680d
SHA256

c4cb2caecc97a4000dfd72ac2c5b025c4eac29253506453b0cf975a9a8bd0ab8
SHA512

5859cbff279bca436f55a411835e57c2eb3ca7c147f3f942c79a0d21a4135c3c95a3ccf9ea2ea5ecf5ea37611e3a985389b8346f006cb2c39931ff55070937b5
SSDEEP

384:btBYQg/WIEhUCSNyepEjYnDOAlzVol6U/zzo+tkq4XDIwNiA0J5T:btB9g/WItCSsAGjX7e9NQd

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	gewos.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	2024-01-08_c9fe0b992c8a941c8204593b514fda46_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
4404	gewos.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3008 wrote to memory of 4404	3008	2024-01-08_c9fe0b992c8a941c8204593b514fda46_cryptolocker.exe	94
PID 3008 wrote to memory of 4404	3008	2024-01-08_c9fe0b992c8a941c8204593b514fda46_cryptolocker.exe	94
PID 3008 wrote to memory of 4404	3008	2024-01-08_c9fe0b992c8a941c8204593b514fda46_cryptolocker.exe	94

C:\Users\Admin\AppData\Local\Temp\2024-01-08_c9fe0b992c8a941c8204593b514fda46_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-08_c9fe0b992c8a941c8204593b514fda46_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3008
- C:\Users\Admin\AppData\Local\Temp\gewos.exe
  "C:\Users\Admin\AppData\Local\Temp\gewos.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:4404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gewos.exe

Filesize
34KB

MD5
1d6ec1c4a366fad5a8cf8502870698d5

SHA1
354b40fb63660bf8bd9b3dd61309423cee4cdcd2

SHA256
415f1e4ce6a749fe5c12e4ae295f1c0bf20bcbbf7f203f569a74983aa7ec9899

SHA512
a379ebfe0b9ab07bf8c7ac3071c43b1a357588deb90897b9936d2b8334c2b947c6aecc945dcea8c85a9e1c87588ee038f6e33b6754e2f84341fd31654d43875a

Download Submit
memory/3008-0-0x0000000000790000-0x0000000000796000-memory.dmp

Filesize
24KB

Download
memory/3008-2-0x0000000000790000-0x0000000000796000-memory.dmp

Filesize
24KB

Download
memory/3008-3-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/4404-18-0x00000000005E0000-0x00000000005E6000-memory.dmp

Filesize
24KB

Download