e53fe9632f87dbf511161ea35fc9510623ad6a58bf035f5b14b5a150697b5529

Analysis

max time kernel
118s
max time network
129s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
12-01-2024 06:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-11_c961b3e429aa504314c0f42f67cd9af9_cryptolocker.exe
Size

37KB
MD5

c961b3e429aa504314c0f42f67cd9af9
SHA1

15f343774fb205f0b55d2b6ae62d3dea2af2d433
SHA256

e53fe9632f87dbf511161ea35fc9510623ad6a58bf035f5b14b5a150697b5529
SHA512

c96982f493d691163914f35979840ae9bb2031c56bc506bcb389d364d0b9857f441b779b64250f3d565d916b36cf05fc9bce05acc538244b8b6f30d0fa9df2eb
SSDEEP

384:btBYQg/WIEhUCSNyepEjYnDOAlzVol6U/zzo+tkq4XDIwNiJXxXunrkwID:btB9g/WItCSsAGjX7e9N0hunrkr

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2684	gewos.exe

Loads dropped DLL 1 IoCs

pid	Process
2180	2024-01-11_c961b3e429aa504314c0f42f67cd9af9_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2180	2024-01-11_c961b3e429aa504314c0f42f67cd9af9_cryptolocker.exe
2684	gewos.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 2684	2180	2024-01-11_c961b3e429aa504314c0f42f67cd9af9_cryptolocker.exe	28
PID 2180 wrote to memory of 2684	2180	2024-01-11_c961b3e429aa504314c0f42f67cd9af9_cryptolocker.exe	28
PID 2180 wrote to memory of 2684	2180	2024-01-11_c961b3e429aa504314c0f42f67cd9af9_cryptolocker.exe	28
PID 2180 wrote to memory of 2684	2180	2024-01-11_c961b3e429aa504314c0f42f67cd9af9_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-01-11_c961b3e429aa504314c0f42f67cd9af9_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-11_c961b3e429aa504314c0f42f67cd9af9_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Users\Admin\AppData\Local\Temp\gewos.exe
  "C:\Users\Admin\AppData\Local\Temp\gewos.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gewos.exe

Filesize
28KB

MD5
633174718b72193bca33784f3b7f1cfc

SHA1
338801c443f0757947433e5a33519ab59e700cb6

SHA256
ebf4da5e8202d23ba3d63067d3b124386f648b85b22631aaf552e0f1299401c1

SHA512
8b8048ceacb0fdfc0ffbdd4dee9ceab345321e89a54db47d62ba1a1199537fccec135352b592db3bee1cebf1dc2653551fb65f7ed6d8c4d7830298fb5a8cd1db

Download Submit
C:\Users\Admin\AppData\Local\Temp\gewos.exe

Filesize
37KB

MD5
3620c091d9505e80d4ff0c24220cd93e

SHA1
f8c7ea036109b2d8e02c13cb71149dca1d626dd6

SHA256
edc43830ebf4dc3aa3af97ff99c00355aad0e8fd19d29112d74958c1f7fd8a3c

SHA512
1b3ab717cefb9e198603721e13149decfc7626f62cdacc8625a3f95596eaa39c376c288d9c3a9b4b34bc9a3172771c7bbc5343ff522cb0ec6caa00664fca5b19

Download Submit
\Users\Admin\AppData\Local\Temp\gewos.exe

Filesize
30KB

MD5
ed3891bfec5dec4af2e052a684192394

SHA1
dc78496038902f5162c98ad532c753610c76f416

SHA256
e646be97365527fba05894c6de725669599821b9ed5ce0987a683a0da69718e0

SHA512
00f9dd23f095b044309b8a5e6cc40616982a9d30b0b63d6fa05c87c412614d1efde09570cda527c1816b80bf2f56f1fc584872fe58e408cb3a2883bf4a02d9ee

Download Submit
memory/2180-0-0x00000000003A0000-0x00000000003A6000-memory.dmp

Filesize
24KB

Download
memory/2180-1-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2180-2-0x00000000003A0000-0x00000000003A6000-memory.dmp

Filesize
24KB

Download
memory/2684-23-0x0000000000490000-0x0000000000496000-memory.dmp

Filesize
24KB

Download