842828aab1ddc556445780d829672ab1510e2fdbb319d12dae039ef860747588

Analysis

max time kernel
121s
max time network
141s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10/03/2024, 02:34

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a96098e70dbc481d2fe4a9c01078f42b.exe
Size

61KB
MD5

a96098e70dbc481d2fe4a9c01078f42b
SHA1

8531825926b2683a601faf7ef2144c3483a5e914
SHA256

842828aab1ddc556445780d829672ab1510e2fdbb319d12dae039ef860747588
SHA512

8b4b282b0d50a53b29f653bcacc6653edc44f253ffa0482273929c4b4fd685029e8e86cf2870d93a0ed4ee27dcc13638c28747e97780aee14661586666dfcf02
SSDEEP

1536:btB9g/xtCSKfxLIc//Xr+/AO/kIZ3ft2nVuTKB6nggOlHdUHay:btng54SMLr+/AO/kIhfoKMHdo

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2684	gewos.exe

Loads dropped DLL 1 IoCs

pid	Process
2816	a96098e70dbc481d2fe4a9c01078f42b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2816	a96098e70dbc481d2fe4a9c01078f42b.exe
2684	gewos.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2816 wrote to memory of 2684	2816	a96098e70dbc481d2fe4a9c01078f42b.exe	28
PID 2816 wrote to memory of 2684	2816	a96098e70dbc481d2fe4a9c01078f42b.exe	28
PID 2816 wrote to memory of 2684	2816	a96098e70dbc481d2fe4a9c01078f42b.exe	28
PID 2816 wrote to memory of 2684	2816	a96098e70dbc481d2fe4a9c01078f42b.exe	28

C:\Users\Admin\AppData\Local\Temp\a96098e70dbc481d2fe4a9c01078f42b.exe
"C:\Users\Admin\AppData\Local\Temp\a96098e70dbc481d2fe4a9c01078f42b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Users\Admin\AppData\Local\Temp\gewos.exe
  "C:\Users\Admin\AppData\Local\Temp\gewos.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\gewos.exe

Filesize
61KB

MD5
2403bf5b9efef9a064ed3e57116ccb53

SHA1
39fe2c7d87fd6424f0331522f47b94b1904037ca

SHA256
90b34e19aef4e7bbb097e1de46e18ea4b3e02c49a64554259a44bcb381b729b5

SHA512
69614584508feb462f8fd9f44b78b547dccd4e0af7ac7c0d1fc569b30badfa868e8d6f3ede57192b73f7ce418833f93981d1906f0ee7154ced1bb310d0bcbaab

Download Submit
memory/2684-16-0x0000000000330000-0x0000000000336000-memory.dmp

Filesize
24KB

Download
memory/2816-0-0x00000000001F0000-0x00000000001F6000-memory.dmp

Filesize
24KB

Download
memory/2816-1-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2816-8-0x00000000001F0000-0x00000000001F6000-memory.dmp

Filesize
24KB

Download