Malware Analysis Report

2025-08-05 16:06

Sample ID 240526-edb1haee82
Target 8a3c53bf3d82326a58eb191b8036f00ea1892da34311195f7daa0b81301a049b
SHA256 8a3c53bf3d82326a58eb191b8036f00ea1892da34311195f7daa0b81301a049b
Tags
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

8a3c53bf3d82326a58eb191b8036f00ea1892da34311195f7daa0b81301a049b

Threat Level: Shows suspicious behavior

The file 8a3c53bf3d82326a58eb191b8036f00ea1892da34311195f7daa0b81301a049b was found to be: Shows suspicious behavior.

Malicious Activity Summary


Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Unsigned PE

Enumerates physical storage devices

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-26 03:49

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-26 03:49

Reported

2024-05-26 03:51

Platform

win7-20240419-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8a3c53bf3d82326a58eb191b8036f00ea1892da34311195f7daa0b81301a049b.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\8a3c53bf3d82326a58eb191b8036f00ea1892da34311195f7daa0b81301a049b.exe

"C:\Users\Admin\AppData\Local\Temp\8a3c53bf3d82326a58eb191b8036f00ea1892da34311195f7daa0b81301a049b.exe"

C:\Users\Admin\AppData\Local\Temp\gewos.exe

"C:\Users\Admin\AppData\Local\Temp\gewos.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 nasap.net udp
US 35.212.119.5:443 nasap.net tcp

Files

memory/2940-0-0x0000000001CE0000-0x0000000001CE6000-memory.dmp

memory/2940-1-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2940-8-0x0000000001CE0000-0x0000000001CE6000-memory.dmp

\Users\Admin\AppData\Local\Temp\gewos.exe

MD5 18069b46fa447c3e07ed33ff887a08b2
SHA1 0988e7fd7fa657091bfd0090ac9bfb303d37041e
SHA256 a0d75c0519336769baa64e6ceab9631f9485928584c6845731641efd52259cf4
SHA512 b78e0f1c685b0baf38d3b793579fb9369ad23872512cdda8a9fe8d34a492e51bd8e633a206a8c573d5904a8dce48faac38462f84e6271ab056328e47b1e34de4

memory/2072-16-0x0000000000280000-0x0000000000286000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-26 03:49

Reported

2024-05-26 03:51

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8a3c53bf3d82326a58eb191b8036f00ea1892da34311195f7daa0b81301a049b.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\8a3c53bf3d82326a58eb191b8036f00ea1892da34311195f7daa0b81301a049b.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\gewos.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\gewos.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\8a3c53bf3d82326a58eb191b8036f00ea1892da34311195f7daa0b81301a049b.exe

"C:\Users\Admin\AppData\Local\Temp\8a3c53bf3d82326a58eb191b8036f00ea1892da34311195f7daa0b81301a049b.exe"

C:\Users\Admin\AppData\Local\Temp\gewos.exe

"C:\Users\Admin\AppData\Local\Temp\gewos.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 nasap.net udp
US 35.212.119.5:443 nasap.net tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 5.119.212.35.in-addr.arpa udp
US 8.8.8.8:53 226.21.18.104.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 3.17.178.52.in-addr.arpa udp

Files

memory/2708-0-0x00000000007C0000-0x00000000007C6000-memory.dmp

memory/2708-1-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2708-8-0x00000000007C0000-0x00000000007C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gewos.exe

MD5 18069b46fa447c3e07ed33ff887a08b2
SHA1 0988e7fd7fa657091bfd0090ac9bfb303d37041e
SHA256 a0d75c0519336769baa64e6ceab9631f9485928584c6845731641efd52259cf4
SHA512 b78e0f1c685b0baf38d3b793579fb9369ad23872512cdda8a9fe8d34a492e51bd8e633a206a8c573d5904a8dce48faac38462f84e6271ab056328e47b1e34de4

memory/2676-25-0x0000000002090000-0x0000000002096000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gewosik.exe

MD5 40d343a73722f72616e709f6e0ccbb55
SHA1 4b85714688e285c16f2c917e585567d727af12bf
SHA256 a136a03ce706abc14f553c9fc3353a6a476f8102c3dea6192b575fbeb496b805
SHA512 3bc3363cb51c100ce7f4e93303554887f4310cd814d985e79bb1cb185e5159024f446a54439d52a3992129892fbedfe69e1c5abe9f314f300741e93d30d4c8f9