d04f752b3e94d183f5da64d73e87723e6bac25d272bcf113a4204184993af45c

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
26/03/2024, 04:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f06a87018a50e8171c7f5fe125d2cb6e.exe
Size

62KB
MD5

f06a87018a50e8171c7f5fe125d2cb6e
SHA1

5a8c6363ee4a1d2c6f016892971376df0eb6d4c1
SHA256

d04f752b3e94d183f5da64d73e87723e6bac25d272bcf113a4204184993af45c
SHA512

49a1102e74acfeba04665ef149ed4163f6de906467725ea17dd3d1b64a00e83898ce018fff9ba6465e3aad02f4ff833feb23d3bc87445c730de988a8174b1270
SSDEEP

1536:btB9g/xtCSKfxLIc//Xr+/AO/kIZ3ft2nVuTKB6nggOlHdUHNW0:btng54SMLr+/AO/kIhfoKMHdu

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	f06a87018a50e8171c7f5fe125d2cb6e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	gewos.exe

Executes dropped EXE 1 IoCs

pid	Process
4108	gewos.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 768 wrote to memory of 4108	768	f06a87018a50e8171c7f5fe125d2cb6e.exe	92
PID 768 wrote to memory of 4108	768	f06a87018a50e8171c7f5fe125d2cb6e.exe	92
PID 768 wrote to memory of 4108	768	f06a87018a50e8171c7f5fe125d2cb6e.exe	92

C:\Users\Admin\AppData\Local\Temp\f06a87018a50e8171c7f5fe125d2cb6e.exe
"C:\Users\Admin\AppData\Local\Temp\f06a87018a50e8171c7f5fe125d2cb6e.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:768
- C:\Users\Admin\AppData\Local\Temp\gewos.exe
  "C:\Users\Admin\AppData\Local\Temp\gewos.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:4108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gewos.exe

Filesize
62KB

MD5
3f3439ec5317dbd5b0f93a34eedcb6fb

SHA1
6e5243b0533868d1612ece107127197b337ccb50

SHA256
660db0221908ce8973dd39a554b2fc2e9336aadee739bdac033375e65feeb5d7

SHA512
5e01229e2ef636197641581c3395d9b042e5c2e08684d8e255483915c095683e9e96a59043867ff39fd76542e944aac1c6cdcd294f8451fa34f66d0055c38fdc

Download Submit
memory/768-0-0x0000000000730000-0x0000000000736000-memory.dmp

Filesize
24KB

Download
memory/768-1-0x0000000000730000-0x0000000000736000-memory.dmp

Filesize
24KB

Download
memory/768-2-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/4108-21-0x0000000001F70000-0x0000000001F76000-memory.dmp

Filesize
24KB

Download