43fca09fbb55f38d84654001d001b8cd640fc504da5811e9e3befbed3f1b5bbf

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
03-06-2024 04:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

43fca09fbb55f38d84654001d001b8cd640fc504da5811e9e3befbed3f1b5bbf.exe
Size

56KB
MD5

d88e98cb1261316530db45d0b64004d9
SHA1

1766e636b2ad2b02f067eedaf76cb6d9280f44d3
SHA256

43fca09fbb55f38d84654001d001b8cd640fc504da5811e9e3befbed3f1b5bbf
SHA512

41cfcbd1ba11497f7502fb02864c702eeb6a88d3e920ee6532ffcfc1584632fd2d588b85028139bfa5274bb4467abcdb3c70607d20273b24d1c0b81a4e8e2637
SSDEEP

768:bP9g/WItCSsAfFaeOcfXVr3BPOz5CFBmNuFgUjlYU:bP9g/xtCS3Dxx0LU

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2848	gewos.exe

Loads dropped DLL 1 IoCs

pid	Process
2188	43fca09fbb55f38d84654001d001b8cd640fc504da5811e9e3befbed3f1b5bbf.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2188-0-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/files/0x000d00000001227e-11.dat	upx
behavioral1/memory/2848-16-0x0000000000400000-0x000000000040E000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2188	43fca09fbb55f38d84654001d001b8cd640fc504da5811e9e3befbed3f1b5bbf.exe
2848	gewos.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 2848	2188	43fca09fbb55f38d84654001d001b8cd640fc504da5811e9e3befbed3f1b5bbf.exe	28
PID 2188 wrote to memory of 2848	2188	43fca09fbb55f38d84654001d001b8cd640fc504da5811e9e3befbed3f1b5bbf.exe	28
PID 2188 wrote to memory of 2848	2188	43fca09fbb55f38d84654001d001b8cd640fc504da5811e9e3befbed3f1b5bbf.exe	28
PID 2188 wrote to memory of 2848	2188	43fca09fbb55f38d84654001d001b8cd640fc504da5811e9e3befbed3f1b5bbf.exe	28

C:\Users\Admin\AppData\Local\Temp\43fca09fbb55f38d84654001d001b8cd640fc504da5811e9e3befbed3f1b5bbf.exe
"C:\Users\Admin\AppData\Local\Temp\43fca09fbb55f38d84654001d001b8cd640fc504da5811e9e3befbed3f1b5bbf.exe"
1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Users\Admin\AppData\Local\Temp\gewos.exe
  "C:\Users\Admin\AppData\Local\Temp\gewos.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\gewos.exe

Filesize
57KB

MD5
33ff7286a20f94ba39a4252f7fd11e9e

SHA1
e9fbb13b4abcabb35d814a4b02c1cb8a25e302e5

SHA256
334d3e866bb17c265053b78ca3b66c75efad314255019539284218917d591f6d

SHA512
62f3479550a310c981a2afbda97ae9485c7120c88df81196c7838ee4a82bbd3d8c015716a10e787182549d83e98a436948130ec37169fc14d5cc0da9067bab77

Download Submit
memory/2188-0-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2188-1-0x0000000000350000-0x0000000000356000-memory.dmp

Filesize
24KB

Download
memory/2188-2-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2188-8-0x0000000000350000-0x0000000000356000-memory.dmp

Filesize
24KB

Download
memory/2848-16-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2848-25-0x0000000000280000-0x0000000000286000-memory.dmp

Filesize
24KB

Download