059945b0027aea84d1fcb80dae2f6605fe3bb44a089d06ecf1c2833b11f54661

Analysis

max time kernel
136s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 02:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-22_83ab1b105c206fd5d37c54c58e90bd99_cryptolocker.exe
Size

38KB
MD5

83ab1b105c206fd5d37c54c58e90bd99
SHA1

c71bfd9fe0c429c947718d5b177a9dcbf520e943
SHA256

059945b0027aea84d1fcb80dae2f6605fe3bb44a089d06ecf1c2833b11f54661
SHA512

c08664ee3ec3631c737680b69d1d3ae830720c9462496d65f4d2c5349e29b1b656bc8d23cf26e02ec11b3de6c665eb636d92a9363bdcf97ee9ca2db201e3ab9b
SSDEEP

384:btBYQg/WIEhUCSNyepEjYnDOAlzVol6U/zzo+tkq4XDIwNiJXxXunRSyHmYvV8o:btB9g/WItCSsAGjX7e9N0hunRvGIV8o

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\gewos.exe	CryptoLocker_rule2

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2024-05-22_83ab1b105c206fd5d37c54c58e90bd99_cryptolocker.exegewos.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	2024-05-22_83ab1b105c206fd5d37c54c58e90bd99_cryptolocker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	gewos.exe

Executes dropped EXE 1 IoCs

Processes:

gewos.exe

pid process

3520 gewos.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3520	gewos.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

2024-05-22_83ab1b105c206fd5d37c54c58e90bd99_cryptolocker.exe

description	pid	process	target process
PID 1956 wrote to memory of 3520	1956	2024-05-22_83ab1b105c206fd5d37c54c58e90bd99_cryptolocker.exe	gewos.exe
PID 1956 wrote to memory of 3520	1956	2024-05-22_83ab1b105c206fd5d37c54c58e90bd99_cryptolocker.exe	gewos.exe
PID 1956 wrote to memory of 3520	1956	2024-05-22_83ab1b105c206fd5d37c54c58e90bd99_cryptolocker.exe	gewos.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-22_83ab1b105c206fd5d37c54c58e90bd99_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-22_83ab1b105c206fd5d37c54c58e90bd99_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1956

C:\Users\Admin\AppData\Local\Temp\gewos.exe
"C:\Users\Admin\AppData\Local\Temp\gewos.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
PID:3520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gewos.exe

Filesize
39KB

MD5
4a22638462294237bd7fac71595151e7

SHA1
6308c866c97e6a73bf625824717f7469e9f7b9ae

SHA256
52af23aa5d8fbd17079e18df770b3577720609bd63c9f46699170769c1da5560

SHA512
eb116c9760e4de92748915373108f1fece0ebd6313b3c4e7261d71f67dd2f30685d9087b46ef7f23152c2245c46e40efad66e6b326b4d0d4afe41bdb4aefff08

Download Submit
C:\Users\Admin\AppData\Local\Temp\gewosik.exe

Filesize
185B

MD5
1abe321df50989b5735271206ce397cd

SHA1
c80d817c8bd3dd7cd8400c6ef08db55aa6682d97

SHA256
3ed88b04cfafa1e6c3cead9ee8c71988475f6735de06af47d61e48dd6c019647

SHA512
96cbb6e3fcccffdba092ca5b09bef128cd11ec0bd1fd32fc4f753633030d3434cd02db3e76888e0ef7b322095bbb826aba5d7ab1a1f3d973b14c5f12491cffee

Download Submit
memory/1956-0-0x00000000005F0000-0x00000000005F6000-memory.dmp

Filesize
24KB

Download
memory/1956-1-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1956-8-0x00000000005F0000-0x00000000005F6000-memory.dmp

Filesize
24KB

Download
memory/3520-25-0x0000000002050000-0x0000000002056000-memory.dmp

Filesize
24KB

Download