999ca52c2b7fa11ed1a029456f8f4fae4d149f93dd1c8a34fad10095760e70ab

Analysis

max time kernel
82s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12-02-2024 19:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-12_2adb6115a19925d21e7dc05c683ec5c9_cryptolocker.exe
Size

37KB
MD5

2adb6115a19925d21e7dc05c683ec5c9
SHA1

7cfc51c30b552b2f0dbf3457f9daa1872d2e05e3
SHA256

999ca52c2b7fa11ed1a029456f8f4fae4d149f93dd1c8a34fad10095760e70ab
SHA512

efcf173d2fed61173017f181ce002305c56749bd4710abfbb7ac811f6baee697bb69717fd45a75434b1724f073597a617b3358433cf50d84f33ff7934b5df94a
SSDEEP

384:btBYQg/WIEhUCSNyepEjYnDOAlzVol6U/zzo+tkq4XDIwNiJXxXuni8LBjML:btB9g/WItCSsAGjX7e9N0hunLA

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\gewos.exe	CryptoLocker_rule2

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2024-02-12_2adb6115a19925d21e7dc05c683ec5c9_cryptolocker.exegewos.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	2024-02-12_2adb6115a19925d21e7dc05c683ec5c9_cryptolocker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	gewos.exe

Executes dropped EXE 1 IoCs

Processes:

gewos.exe

pid process

4420 gewos.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4420	gewos.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

2024-02-12_2adb6115a19925d21e7dc05c683ec5c9_cryptolocker.exe

description	pid	process	target process
PID 2304 wrote to memory of 4420	2304	2024-02-12_2adb6115a19925d21e7dc05c683ec5c9_cryptolocker.exe	gewos.exe
PID 2304 wrote to memory of 4420	2304	2024-02-12_2adb6115a19925d21e7dc05c683ec5c9_cryptolocker.exe	gewos.exe
PID 2304 wrote to memory of 4420	2304	2024-02-12_2adb6115a19925d21e7dc05c683ec5c9_cryptolocker.exe	gewos.exe

C:\Users\Admin\AppData\Local\Temp\2024-02-12_2adb6115a19925d21e7dc05c683ec5c9_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-12_2adb6115a19925d21e7dc05c683ec5c9_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2304

C:\Users\Admin\AppData\Local\Temp\gewos.exe
"C:\Users\Admin\AppData\Local\Temp\gewos.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
PID:4420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gewos.exe

Filesize
37KB

MD5
344b511239e36508686bd9855d315b24

SHA1
7119cde9767db211c026072f0fda7fb35193262b

SHA256
0dbc3507e128697328a86b41394c144d198efcd81a64beeb49d4b6e9549e4932

SHA512
3ab7cb1028f8b2bc03fd4d2629d1e2f82555a3f61977f9d30e21d15c7e600132ebfb75bcef493190077a46d2693875fdfe52a31a7fcfee6fe3d6312d09f640cc

Download Submit
memory/2304-0-0x0000000002350000-0x0000000002356000-memory.dmp

Filesize
24KB

Download
memory/2304-1-0x0000000002350000-0x0000000002356000-memory.dmp

Filesize
24KB

Download
memory/2304-2-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/4420-20-0x0000000001F90000-0x0000000001F96000-memory.dmp

Filesize
24KB

Download