185575722c3c57bd11f45ff58ec7c49f292b8ffa103a3299f633b376c77d7091

Analysis

max time kernel
136s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
21-05-2024 19:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-21_22508bb1ba27d4cea5256e3b0a65fb78_cryptolocker.exe
Size

57KB
MD5

22508bb1ba27d4cea5256e3b0a65fb78
SHA1

6432b886ab6255a666d4514b98bc4f0dc3afff21
SHA256

185575722c3c57bd11f45ff58ec7c49f292b8ffa103a3299f633b376c77d7091
SHA512

d669ab664f0e7cc6f3d43856ac55a26724acabd0d7dd215410c69579028f3ca319251bf2d492a494a068e735695646792d746b78173b0ac76b65851fc87b549e
SSDEEP

768:bP9g/WItCSsAfFaeOcfXVr3BPOz5CFBmNuFgUjlbQ9mEe:bP9g/xtCS3Dxx0AQUZ

Score

9^/10

upx

Malware Config

Signatures

Detection of CryptoLocker Variants 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4400-0-0x0000000000400000-0x000000000040E000-memory.dmp	CryptoLocker_rule2
C:\Users\Admin\AppData\Local\Temp\gewos.exe	CryptoLocker_rule2
behavioral2/memory/2760-19-0x0000000000400000-0x000000000040E000-memory.dmp	CryptoLocker_rule2

UPX dump on OEP (original entry point) 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4400-0-0x0000000000400000-0x000000000040E000-memory.dmp	UPX
C:\Users\Admin\AppData\Local\Temp\gewos.exe	UPX
behavioral2/memory/2760-19-0x0000000000400000-0x000000000040E000-memory.dmp	UPX

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2024-05-21_22508bb1ba27d4cea5256e3b0a65fb78_cryptolocker.exegewos.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	2024-05-21_22508bb1ba27d4cea5256e3b0a65fb78_cryptolocker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	gewos.exe

Executes dropped EXE 1 IoCs

Processes:

gewos.exe

pid process

2760 gewos.exe

pid	process
2760	gewos.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4400-0-0x0000000000400000-0x000000000040E000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\gewos.exe	upx
behavioral2/memory/2760-19-0x0000000000400000-0x000000000040E000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

2024-05-21_22508bb1ba27d4cea5256e3b0a65fb78_cryptolocker.exe

description	pid	process	target process
PID 4400 wrote to memory of 2760	4400	2024-05-21_22508bb1ba27d4cea5256e3b0a65fb78_cryptolocker.exe	gewos.exe
PID 4400 wrote to memory of 2760	4400	2024-05-21_22508bb1ba27d4cea5256e3b0a65fb78_cryptolocker.exe	gewos.exe
PID 4400 wrote to memory of 2760	4400	2024-05-21_22508bb1ba27d4cea5256e3b0a65fb78_cryptolocker.exe	gewos.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-21_22508bb1ba27d4cea5256e3b0a65fb78_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-21_22508bb1ba27d4cea5256e3b0a65fb78_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4400
- C:\Users\Admin\AppData\Local\Temp\gewos.exe
  "C:\Users\Admin\AppData\Local\Temp\gewos.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gewos.exe

Filesize
57KB

MD5
8d9ed857b3cfccdd1cfd905293b2deec

SHA1
e80f4908b7c55db8191bc1370d49d2f6b1b619a8

SHA256
1779d6b25f8b09b1d0deea5c8ce36679718430d3a2f394de44832f80592226f9

SHA512
64f00e7433dba063f455e50ec992638b6378858aa080c2228e0777f56a0c96f9e1b0f04dcde4b422d08982bb368b9f5b144f4dbfff1de5d6c0524eedab4e87b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\gewosik.exe

Filesize
185B

MD5
358a0be3fa22246401f7d0c63245507b

SHA1
de9ffa424040b5bc1978c5c7e97923d9f4208b46

SHA256
3922fd500f650e83e8b052a0c1657163b55fc8d244c3039ba522817ee4eef428

SHA512
0ef6bffe93aba4fec6e35472287ae38dc881d13b2e5fe6f380fe1f1d1da98ebd6a69330aeda03fbbe798edb63cc3a7118205d0ce97f8f0ae6fb63d09080edc43

Download Submit
memory/2760-19-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2760-27-0x0000000002160000-0x0000000002166000-memory.dmp

Filesize
24KB

Download
memory/4400-0-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4400-1-0x0000000002090000-0x0000000002096000-memory.dmp

Filesize
24KB

Download
memory/4400-2-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/4400-9-0x0000000002090000-0x0000000002096000-memory.dmp

Filesize
24KB

Download