Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
26/05/2024, 03:49
Static task
static1
Behavioral task
behavioral1
Sample
8a3c53bf3d82326a58eb191b8036f00ea1892da34311195f7daa0b81301a049b.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
8a3c53bf3d82326a58eb191b8036f00ea1892da34311195f7daa0b81301a049b.exe
Resource
win10v2004-20240508-en
General
-
Target
8a3c53bf3d82326a58eb191b8036f00ea1892da34311195f7daa0b81301a049b.exe
-
Size
62KB
-
MD5
88aa0a87ee57c61d3f92524b7d43dfe2
-
SHA1
703c9d57d24e11a422c1af2005d838af625de655
-
SHA256
8a3c53bf3d82326a58eb191b8036f00ea1892da34311195f7daa0b81301a049b
-
SHA512
a284e4e8bfdfffbd8807b231e4d169383760ae01705b36c18e7134fa3cd26e9d9c465613b1c42a69e4866ef823b190bdbb7c63a9f5dcebb8dbad6cb944a1d814
-
SSDEEP
1536:btB9g/xtCSKfxLIc//Xr+/AO/kIZ3ft2nVuTKB6nggOlHdUHZnxF:btng54SMLr+/AO/kIhfoKMHdaz
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation 8a3c53bf3d82326a58eb191b8036f00ea1892da34311195f7daa0b81301a049b.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation gewos.exe -
Executes dropped EXE 1 IoCs
pid Process 2676 gewos.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2708 wrote to memory of 2676 2708 8a3c53bf3d82326a58eb191b8036f00ea1892da34311195f7daa0b81301a049b.exe 83 PID 2708 wrote to memory of 2676 2708 8a3c53bf3d82326a58eb191b8036f00ea1892da34311195f7daa0b81301a049b.exe 83 PID 2708 wrote to memory of 2676 2708 8a3c53bf3d82326a58eb191b8036f00ea1892da34311195f7daa0b81301a049b.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\8a3c53bf3d82326a58eb191b8036f00ea1892da34311195f7daa0b81301a049b.exe"C:\Users\Admin\AppData\Local\Temp\8a3c53bf3d82326a58eb191b8036f00ea1892da34311195f7daa0b81301a049b.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Users\Admin\AppData\Local\Temp\gewos.exe"C:\Users\Admin\AppData\Local\Temp\gewos.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
PID:2676
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
62KB
MD518069b46fa447c3e07ed33ff887a08b2
SHA10988e7fd7fa657091bfd0090ac9bfb303d37041e
SHA256a0d75c0519336769baa64e6ceab9631f9485928584c6845731641efd52259cf4
SHA512b78e0f1c685b0baf38d3b793579fb9369ad23872512cdda8a9fe8d34a492e51bd8e633a206a8c573d5904a8dce48faac38462f84e6271ab056328e47b1e34de4
-
Filesize
185B
MD540d343a73722f72616e709f6e0ccbb55
SHA14b85714688e285c16f2c917e585567d727af12bf
SHA256a136a03ce706abc14f553c9fc3353a6a476f8102c3dea6192b575fbeb496b805
SHA5123bc3363cb51c100ce7f4e93303554887f4310cd814d985e79bb1cb185e5159024f446a54439d52a3992129892fbedfe69e1c5abe9f314f300741e93d30d4c8f9