4928e78ab03cf9f4d2fcdafd76486b7a65061485163f2f1734058ff71f01b937

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
12-05-2024 18:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-12_dd00042d6c107ffaca1266f1e5339315_cryptolocker.exe
Size

36KB
MD5

dd00042d6c107ffaca1266f1e5339315
SHA1

d39e805d86ae373cbd0fffa8296ebc0a28aa9ed9
SHA256

4928e78ab03cf9f4d2fcdafd76486b7a65061485163f2f1734058ff71f01b937
SHA512

24f9d8d42180ca52884f9637ec3f2c592150e0cee6b565bb91623ae757c9681acf857d8107d1ebb1702f641eb77873eae4b16dc284119a95393ad3c021271952
SSDEEP

384:btBYQg/WIEhUCSNyepEjYnDOAlzVol6U/zzo+tkq4l8tFFxE2B0qZvUo:btB9g/WItCSsAGjX7r3BTZvUo

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral2/files/0x000700000002328e-12.dat	CryptoLocker_rule2

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	gewos.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	2024-05-12_dd00042d6c107ffaca1266f1e5339315_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
3148	gewos.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3216 wrote to memory of 3148	3216	2024-05-12_dd00042d6c107ffaca1266f1e5339315_cryptolocker.exe	82
PID 3216 wrote to memory of 3148	3216	2024-05-12_dd00042d6c107ffaca1266f1e5339315_cryptolocker.exe	82
PID 3216 wrote to memory of 3148	3216	2024-05-12_dd00042d6c107ffaca1266f1e5339315_cryptolocker.exe	82

C:\Users\Admin\AppData\Local\Temp\2024-05-12_dd00042d6c107ffaca1266f1e5339315_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-12_dd00042d6c107ffaca1266f1e5339315_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3216
- C:\Users\Admin\AppData\Local\Temp\gewos.exe
  "C:\Users\Admin\AppData\Local\Temp\gewos.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:3148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gewos.exe

Filesize
36KB

MD5
963d85382f595da2593e08cf19dd6073

SHA1
c4711933c0f6fc22ea86ca571891e07611159573

SHA256
d11e756e6c2fe389dd6117430e8acbf6b2595768164cabd36a75a194ff4ad466

SHA512
4a5437d13705462911970f6854a4fbe6be340c9f5142dd4be24079e6504639d49d5d82db34381f416762a60f31b65958b5793971da803a44642925183d3d9701

Download Submit
C:\Users\Admin\AppData\Local\Temp\gewosik.exe

Filesize
185B

MD5
46afaf1b17a0b321e6fe10aa9e329791

SHA1
64833ade1f476c99125ecfba4f3278c2021196b2

SHA256
737ec2217a4f9e987ac4e3a5d34fcdf3119b4d69bdb8973c68da277cd30d8cd2

SHA512
e3aaf7a9ac9a3c33459519f77a1ec9acb6b27a4881392d3417c84ef82c700c12bfc66d31c2cd340fffb078916b234f58ff1666bf95bb240d5ceb8b606fa47f82

Download Submit
memory/3148-25-0x0000000002D60000-0x0000000002D66000-memory.dmp

Filesize
24KB

Download
memory/3216-0-0x0000000002EA0000-0x0000000002EA6000-memory.dmp

Filesize
24KB

Download
memory/3216-1-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/3216-8-0x0000000002EA0000-0x0000000002EA6000-memory.dmp

Filesize
24KB

Download