ecd02c4bfdfbb64d7687609911bd5f10bda4997ca8a94523f17de7b01e67a3c7

Analysis

max time kernel
142s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
20-02-2024 04:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea522807e95189994922f0f898d1f14d.exe
Size

60KB
MD5

ea522807e95189994922f0f898d1f14d
SHA1

bb4098f9708a74f2621b5ca7c142456c92f238e8
SHA256

ecd02c4bfdfbb64d7687609911bd5f10bda4997ca8a94523f17de7b01e67a3c7
SHA512

118690efc0e58d737ef3492b2efe1e5c38ae4108d408d387d0b5f537cc18edcbe964e1448e67b561560c47166242681309780ec6eff0e7bcd0c7a36a7238d6a3
SSDEEP

1536:btB9g/xtCSKfxLIc//Xr+/AO/kIZ3ft2nVuTKB6nggOlHdUHOE:btng54SMLr+/AO/kIhfoKMHdS

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	ea522807e95189994922f0f898d1f14d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	gewos.exe

Executes dropped EXE 1 IoCs

pid	Process
1204	gewos.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 116 wrote to memory of 1204	116	ea522807e95189994922f0f898d1f14d.exe	82
PID 116 wrote to memory of 1204	116	ea522807e95189994922f0f898d1f14d.exe	82
PID 116 wrote to memory of 1204	116	ea522807e95189994922f0f898d1f14d.exe	82

C:\Users\Admin\AppData\Local\Temp\ea522807e95189994922f0f898d1f14d.exe
"C:\Users\Admin\AppData\Local\Temp\ea522807e95189994922f0f898d1f14d.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:116
- C:\Users\Admin\AppData\Local\Temp\gewos.exe
  "C:\Users\Admin\AppData\Local\Temp\gewos.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:1204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gewos.exe

Filesize
60KB

MD5
bb5867cf14be8e9aa8fb3b850c50939f

SHA1
1886df309aa398cdf71ec87332fcbb5edd7a2043

SHA256
11438ff005d417cb1b10cf9d631e1f53b4984276c73aca6cf9fb46a33d1e851d

SHA512
6ed529590db77b6a8f9be9042bdbfd404666e7f3c8cb1f11964febd1dd5e172faed6b781f9d5bce8754b7646cf9e3f7ffee9c73559b0fd9c71d592a51520c5cf

Download Submit
memory/116-0-0x0000000002EA0000-0x0000000002EA6000-memory.dmp

Filesize
24KB

Download
memory/116-1-0x0000000002EA0000-0x0000000002EA6000-memory.dmp

Filesize
24KB

Download
memory/116-2-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1204-20-0x0000000002020000-0x0000000002026000-memory.dmp

Filesize
24KB

Download