Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/05/2024, 03:49

General

  • Target

    8a3c53bf3d82326a58eb191b8036f00ea1892da34311195f7daa0b81301a049b.exe

  • Size

    62KB

  • MD5

    88aa0a87ee57c61d3f92524b7d43dfe2

  • SHA1

    703c9d57d24e11a422c1af2005d838af625de655

  • SHA256

    8a3c53bf3d82326a58eb191b8036f00ea1892da34311195f7daa0b81301a049b

  • SHA512

    a284e4e8bfdfffbd8807b231e4d169383760ae01705b36c18e7134fa3cd26e9d9c465613b1c42a69e4866ef823b190bdbb7c63a9f5dcebb8dbad6cb944a1d814

  • SSDEEP

    1536:btB9g/xtCSKfxLIc//Xr+/AO/kIZ3ft2nVuTKB6nggOlHdUHZnxF:btng54SMLr+/AO/kIhfoKMHdaz

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8a3c53bf3d82326a58eb191b8036f00ea1892da34311195f7daa0b81301a049b.exe
    "C:\Users\Admin\AppData\Local\Temp\8a3c53bf3d82326a58eb191b8036f00ea1892da34311195f7daa0b81301a049b.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2708
    • C:\Users\Admin\AppData\Local\Temp\gewos.exe
      "C:\Users\Admin\AppData\Local\Temp\gewos.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      PID:2676

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\gewos.exe

          Filesize

          62KB

          MD5

          18069b46fa447c3e07ed33ff887a08b2

          SHA1

          0988e7fd7fa657091bfd0090ac9bfb303d37041e

          SHA256

          a0d75c0519336769baa64e6ceab9631f9485928584c6845731641efd52259cf4

          SHA512

          b78e0f1c685b0baf38d3b793579fb9369ad23872512cdda8a9fe8d34a492e51bd8e633a206a8c573d5904a8dce48faac38462f84e6271ab056328e47b1e34de4

        • C:\Users\Admin\AppData\Local\Temp\gewosik.exe

          Filesize

          185B

          MD5

          40d343a73722f72616e709f6e0ccbb55

          SHA1

          4b85714688e285c16f2c917e585567d727af12bf

          SHA256

          a136a03ce706abc14f553c9fc3353a6a476f8102c3dea6192b575fbeb496b805

          SHA512

          3bc3363cb51c100ce7f4e93303554887f4310cd814d985e79bb1cb185e5159024f446a54439d52a3992129892fbedfe69e1c5abe9f314f300741e93d30d4c8f9

        • memory/2676-25-0x0000000002090000-0x0000000002096000-memory.dmp

          Filesize

          24KB

        • memory/2708-0-0x00000000007C0000-0x00000000007C6000-memory.dmp

          Filesize

          24KB

        • memory/2708-1-0x0000000000400000-0x0000000000406000-memory.dmp

          Filesize

          24KB

        • memory/2708-8-0x00000000007C0000-0x00000000007C6000-memory.dmp

          Filesize

          24KB