f4005deed0f6bf158a9f5816f2dfce93daac8f3d52f4ae2a4509511fd9bd6453

Analysis

max time kernel
136s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
20/06/2024, 03:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-20_84847084d9ec050f56374785338dd87f_cryptolocker.exe
Size

44KB
MD5

84847084d9ec050f56374785338dd87f
SHA1

c960f10229b5baf12728df5f19144720b4ed1a8b
SHA256

f4005deed0f6bf158a9f5816f2dfce93daac8f3d52f4ae2a4509511fd9bd6453
SHA512

687f295228d7647ea67e313e7654852efccb7a399f16ad3208a92a523c641712870933719193e07312bcee2fb84d456e7450b406553d8e812839f840bf7b8fa3
SSDEEP

384:btBYQg/WIEhUCSNyepEjYnDOAlzVol6U/zzo+tkq4XDIwNiJXxXunrkwIxZWQpyO:btB9g/WItCSsAGjX7e9N0hunrknljKru

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	2024-06-20_84847084d9ec050f56374785338dd87f_cryptolocker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	gewos.exe

Executes dropped EXE 1 IoCs

pid	Process
4852	gewos.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2436 wrote to memory of 4852	2436	2024-06-20_84847084d9ec050f56374785338dd87f_cryptolocker.exe	82
PID 2436 wrote to memory of 4852	2436	2024-06-20_84847084d9ec050f56374785338dd87f_cryptolocker.exe	82
PID 2436 wrote to memory of 4852	2436	2024-06-20_84847084d9ec050f56374785338dd87f_cryptolocker.exe	82

C:\Users\Admin\AppData\Local\Temp\2024-06-20_84847084d9ec050f56374785338dd87f_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-20_84847084d9ec050f56374785338dd87f_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2436
- C:\Users\Admin\AppData\Local\Temp\gewos.exe
  "C:\Users\Admin\AppData\Local\Temp\gewos.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:4852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gewos.exe

Filesize
45KB

MD5
8578873c70e641905e748bda9a8272dc

SHA1
e6c11aeaf672625c06df86f9e8456be0f1733b4e

SHA256
d4817604cc56529a90185438a94e047e9b51ab317c06772fa48ef992963fb6be

SHA512
eb1534bf0824f3de201688fa26f90e6cb455bcbe4f77942a4725cb476b41fc0ecc83856199fdcf6a1cef9e80f60d4f06464d0cc98712a36473f092fb1ec2d573

Download Submit
C:\Users\Admin\AppData\Local\Temp\gewosik.exe

Filesize
185B

MD5
93effa0f678de9cab763f62d8102e018

SHA1
a2e67cb397dba80549a833468ff7feeb173c79fc

SHA256
7c1dc5a2d71f81a13dba5b27b92dcb0bd816ea1c18af47d8e75df526dbd5baaf

SHA512
3a65eeac260cd16f3576a33330034a702eaa9b45c59483e753a57e67e65dee8c58e2b2fcce74836c81503c938d162a79a76711bec7d95cb4204a9c777b0dcb84

Download Submit
memory/2436-0-0x00000000006F0000-0x00000000006F6000-memory.dmp

Filesize
24KB

Download
memory/2436-1-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2436-8-0x00000000006F0000-0x00000000006F6000-memory.dmp

Filesize
24KB

Download
memory/4852-25-0x00000000005E0000-0x00000000005E6000-memory.dmp

Filesize
24KB

Download