bc01ac271a0ec0a3a7342721ed084b508b1267b2a8d8a8227cdb2e8f84410ad7

Analysis

max time kernel
144s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24-01-2024 03:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ba3b256b90adbec6ec977ce70bf3e400.exe
Size

59KB
MD5

ba3b256b90adbec6ec977ce70bf3e400
SHA1

9c7b25cf0d8b502fc322bcdcc5151a4826530948
SHA256

bc01ac271a0ec0a3a7342721ed084b508b1267b2a8d8a8227cdb2e8f84410ad7
SHA512

c061228898a6d379aa76147627d1a8ee4f4b630c20d948594e667b58617757c72dc60b51b5fd8533c742c844c13b306e9fa58f676557bdeffa38728dd55f1bce
SSDEEP

1536:btB9g/xtCSKfxLIc//Xr+/AO/kIZ3ft2nVuTKB6nggOlHdUHNWo:btng54SMLr+/AO/kIhfoKMHd6

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	ba3b256b90adbec6ec977ce70bf3e400.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	gewos.exe

Executes dropped EXE 1 IoCs

pid	Process
2052	gewos.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 680 wrote to memory of 2052	680	ba3b256b90adbec6ec977ce70bf3e400.exe	88
PID 680 wrote to memory of 2052	680	ba3b256b90adbec6ec977ce70bf3e400.exe	88
PID 680 wrote to memory of 2052	680	ba3b256b90adbec6ec977ce70bf3e400.exe	88

C:\Users\Admin\AppData\Local\Temp\ba3b256b90adbec6ec977ce70bf3e400.exe
"C:\Users\Admin\AppData\Local\Temp\ba3b256b90adbec6ec977ce70bf3e400.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:680
- C:\Users\Admin\AppData\Local\Temp\gewos.exe
  "C:\Users\Admin\AppData\Local\Temp\gewos.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:2052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gewos.exe

Filesize
59KB

MD5
1fa9abd801464ed096c824afe9dcb163

SHA1
c15be4cea891c8bca09af46a77e0cc93c8b62f04

SHA256
637994cef21a32ec72f76cb813a834f2652d500d815ddbc1a404da5d404b1f16

SHA512
f1f383ab2c2d7a1db9cece8768ff08ac70a0da6198729b06723633a7c8010323577487a4c8efc20cf5acc32f890c698272ace6b4a38551178e3341e9f1f076ff

Download Submit
memory/680-0-0x0000000002EA0000-0x0000000002EA6000-memory.dmp

Filesize
24KB

Download
memory/680-1-0x0000000002EA0000-0x0000000002EA6000-memory.dmp

Filesize
24KB

Download
memory/680-2-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2052-20-0x0000000002010000-0x0000000002016000-memory.dmp

Filesize
24KB

Download