4231600615c075ed2be2c0c1e3740da4d5b01daa8219dd7d6d19b6a969763ae3

Analysis

max time kernel
137s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 01:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-22_402001e07a8802c8b88aaf312682880d_cryptolocker.exe
Size

62KB
MD5

402001e07a8802c8b88aaf312682880d
SHA1

a93faad54ab27c00f8a80318d63663bca07301a4
SHA256

4231600615c075ed2be2c0c1e3740da4d5b01daa8219dd7d6d19b6a969763ae3
SHA512

e5dd83f9d002a5c6719dfe3fdc4dab226879ba1cd6de9c01e85abad71fcbb47a0f5d594acbe17daf4afa13ae201f5570041e10b6853003d86da5df73d60e86d7
SSDEEP

1536:btB9g/xtCSKfxLIc//Xr+/AO/kIZ3ft2nVuTKB6nggOlHdUHZnF7HN:btng54SMLr+/AO/kIhfoKMHdaj

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\gewos.exe	CryptoLocker_rule2

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2024-05-22_402001e07a8802c8b88aaf312682880d_cryptolocker.exegewos.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	2024-05-22_402001e07a8802c8b88aaf312682880d_cryptolocker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	gewos.exe

Executes dropped EXE 1 IoCs

Processes:

gewos.exe

pid process

1376 gewos.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1376	gewos.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

2024-05-22_402001e07a8802c8b88aaf312682880d_cryptolocker.exe

description	pid	process	target process
PID 3424 wrote to memory of 1376	3424	2024-05-22_402001e07a8802c8b88aaf312682880d_cryptolocker.exe	gewos.exe
PID 3424 wrote to memory of 1376	3424	2024-05-22_402001e07a8802c8b88aaf312682880d_cryptolocker.exe	gewos.exe
PID 3424 wrote to memory of 1376	3424	2024-05-22_402001e07a8802c8b88aaf312682880d_cryptolocker.exe	gewos.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-22_402001e07a8802c8b88aaf312682880d_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-22_402001e07a8802c8b88aaf312682880d_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3424

C:\Users\Admin\AppData\Local\Temp\gewos.exe
"C:\Users\Admin\AppData\Local\Temp\gewos.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
PID:1376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gewos.exe

Filesize
63KB

MD5
e1bc0eba6ef9f1eccbd01ed5ad4d4f5e

SHA1
796e3b87400d7a1fb91ea5a85ea3481f6b8359a0

SHA256
f15503118f66f194ba1f59ddb5552a9f4c257b6861fa7ae4be7e8cc5716ca26b

SHA512
e076a0398000341d91b08181afbc2929e2c36fe0acd436034421be164dbcfd85a08755ff146992b441a16a69a11058b6cde40b1f7efaa0c6b0bafd7334ecce20

Download Submit
C:\Users\Admin\AppData\Local\Temp\gewosik.exe

Filesize
185B

MD5
19ffc9ae0720e3a989fd823cf99f2821

SHA1
5b9439dc301f596a8971d25f447a69570f28f3d6

SHA256
676c9b5dc67609101cd14f49b0a4441bde5d11c7490bc697428f7abb82cdc9cd

SHA512
124e35e7fafb2402f47a077f72c3686c26586dd745727e17fe5f7e9804bac690b6a70b38f89f47f120fe4186b3d0730e264098a8b40e30b2363944d071140695

Download Submit
memory/1376-25-0x0000000000600000-0x0000000000606000-memory.dmp

Filesize
24KB

Download
memory/3424-0-0x0000000002EA0000-0x0000000002EA6000-memory.dmp

Filesize
24KB

Download
memory/3424-1-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/3424-8-0x0000000002EA0000-0x0000000002EA6000-memory.dmp

Filesize
24KB

Download