c16b892e0e7a2a0a1ef126f26b9c4a1c3a58bbec0bc37ff9d129752448984744

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
17/05/2024, 05:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-17_b75614e563b8aa5ca468242023dd0026_cryptolocker.exe
Size

41KB
MD5

b75614e563b8aa5ca468242023dd0026
SHA1

7d1225e2f5d9b92c07f45f2fed28d5e2d8012fa6
SHA256

c16b892e0e7a2a0a1ef126f26b9c4a1c3a58bbec0bc37ff9d129752448984744
SHA512

83ab4d034e3760c2d2bd316a2ffec10b5b738e8c7d2d79691fe58c21b5b395a2e4b383a396df6e5e5f3434346f9f0caa177f7c14f5c39f3b624d5c8db9c19357
SSDEEP

384:btBYQg/WIEhUCSNyepEjYnDOAlzVol6U/zzo+tkq4XDIwNiJXxXunKzH15U/Eo:btB9g/WItCSsAGjX7e9N0hunKLY7

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023305-12.dat	CryptoLocker_rule2

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	2024-05-17_b75614e563b8aa5ca468242023dd0026_cryptolocker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	gewos.exe

Executes dropped EXE 1 IoCs

pid	Process
3944	gewos.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 208 wrote to memory of 3944	208	2024-05-17_b75614e563b8aa5ca468242023dd0026_cryptolocker.exe	83
PID 208 wrote to memory of 3944	208	2024-05-17_b75614e563b8aa5ca468242023dd0026_cryptolocker.exe	83
PID 208 wrote to memory of 3944	208	2024-05-17_b75614e563b8aa5ca468242023dd0026_cryptolocker.exe	83

C:\Users\Admin\AppData\Local\Temp\2024-05-17_b75614e563b8aa5ca468242023dd0026_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-17_b75614e563b8aa5ca468242023dd0026_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:208
- C:\Users\Admin\AppData\Local\Temp\gewos.exe
  "C:\Users\Admin\AppData\Local\Temp\gewos.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:3944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gewos.exe

Filesize
41KB

MD5
cf9f20e0df712720667725c563dbf666

SHA1
9ad27599582c3dc8f1d9a9da85b8a9c2ab8cd6f2

SHA256
eeb077b5036e461d92f34d9b68b0127a1b086d20c9f387884d302b16a315968e

SHA512
d9bea16841a5ea5342e596f4350cc25fbf47a80f6b28db33d535fe93805ef5394a013b65dfff0cf5903722eba97387a43c457f747c77d1e31de5ff8212549e80

Download Submit
C:\Users\Admin\AppData\Local\Temp\gewosik.exe

Filesize
185B

MD5
db634d4636f02e5c82d86c2540ed1ffa

SHA1
a8084b7412e7d371aa37cfe7e48e4547ca7ee143

SHA256
1a38e25c75edd96d07a94a663e31a6395a45a408361cab0f3faafe277389e5b8

SHA512
5e822d5435ebf3a438efc1f8acdc6458baf5074a3498b7d0d7af1a72e0013f26fe1f237dfcbc6508043bcc6fad0017023478a7df9ba7c3f83fd3df2bd4c1ea82

Download Submit
memory/208-0-0x0000000002080000-0x0000000002086000-memory.dmp

Filesize
24KB

Download
memory/208-1-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/208-8-0x0000000002080000-0x0000000002086000-memory.dmp

Filesize
24KB

Download
memory/3944-25-0x0000000002EA0000-0x0000000002EA6000-memory.dmp

Filesize
24KB

Download