d04f752b3e94d183f5da64d73e87723e6bac25d272bcf113a4204184993af45c

Analysis

max time kernel
121s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26/03/2024, 04:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f06a87018a50e8171c7f5fe125d2cb6e.exe
Size

62KB
MD5

f06a87018a50e8171c7f5fe125d2cb6e
SHA1

5a8c6363ee4a1d2c6f016892971376df0eb6d4c1
SHA256

d04f752b3e94d183f5da64d73e87723e6bac25d272bcf113a4204184993af45c
SHA512

49a1102e74acfeba04665ef149ed4163f6de906467725ea17dd3d1b64a00e83898ce018fff9ba6465e3aad02f4ff833feb23d3bc87445c730de988a8174b1270
SSDEEP

1536:btB9g/xtCSKfxLIc//Xr+/AO/kIZ3ft2nVuTKB6nggOlHdUHNW0:btng54SMLr+/AO/kIhfoKMHdu

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2912	gewos.exe

Loads dropped DLL 1 IoCs

pid	Process
2196	f06a87018a50e8171c7f5fe125d2cb6e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2196	f06a87018a50e8171c7f5fe125d2cb6e.exe
2912	gewos.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 2912	2196	f06a87018a50e8171c7f5fe125d2cb6e.exe	28
PID 2196 wrote to memory of 2912	2196	f06a87018a50e8171c7f5fe125d2cb6e.exe	28
PID 2196 wrote to memory of 2912	2196	f06a87018a50e8171c7f5fe125d2cb6e.exe	28
PID 2196 wrote to memory of 2912	2196	f06a87018a50e8171c7f5fe125d2cb6e.exe	28

C:\Users\Admin\AppData\Local\Temp\f06a87018a50e8171c7f5fe125d2cb6e.exe
"C:\Users\Admin\AppData\Local\Temp\f06a87018a50e8171c7f5fe125d2cb6e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Users\Admin\AppData\Local\Temp\gewos.exe
  "C:\Users\Admin\AppData\Local\Temp\gewos.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\gewos.exe

Filesize
62KB

MD5
3f3439ec5317dbd5b0f93a34eedcb6fb

SHA1
6e5243b0533868d1612ece107127197b337ccb50

SHA256
660db0221908ce8973dd39a554b2fc2e9336aadee739bdac033375e65feeb5d7

SHA512
5e01229e2ef636197641581c3395d9b042e5c2e08684d8e255483915c095683e9e96a59043867ff39fd76542e944aac1c6cdcd294f8451fa34f66d0055c38fdc

Download Submit
memory/2196-0-0x00000000003C0000-0x00000000003C6000-memory.dmp

Filesize
24KB

Download
memory/2196-1-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2196-8-0x00000000003C0000-0x00000000003C6000-memory.dmp

Filesize
24KB

Download
memory/2912-17-0x00000000003F0000-0x00000000003F6000-memory.dmp

Filesize
24KB

Download