390b3e958de600889f486cb911d433c7f6c29b0876b466ab26a5207d1b59b11e

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/08/2024, 01:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-08_1af0167a359181f219757d0cfd2a2ff9_cryptolocker.exe
Size

63KB
MD5

1af0167a359181f219757d0cfd2a2ff9
SHA1

3310eeb199ed86f1e5bc3985bc65d614ae2a7952
SHA256

390b3e958de600889f486cb911d433c7f6c29b0876b466ab26a5207d1b59b11e
SHA512

d4318b68c49d1d339ee11c3b4473e86020a5bd06bf58e20064abf3069f3b6675dd359d28106b005bdea144ec1419a920a2be041f322d7bae650f74d5ac9bc23c
SSDEEP

1536:btB9g/xtCSKfxLIc//Xr+/AO/kIZ3ft2nVuTKB6nggOlHdUHZnTb:btng54SMLr+/AO/kIhfoKMHdaX

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	2024-08-08_1af0167a359181f219757d0cfd2a2ff9_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
1588	gewos.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-08_1af0167a359181f219757d0cfd2a2ff9_cryptolocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gewos.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4064 wrote to memory of 1588	4064	2024-08-08_1af0167a359181f219757d0cfd2a2ff9_cryptolocker.exe	85
PID 4064 wrote to memory of 1588	4064	2024-08-08_1af0167a359181f219757d0cfd2a2ff9_cryptolocker.exe	85
PID 4064 wrote to memory of 1588	4064	2024-08-08_1af0167a359181f219757d0cfd2a2ff9_cryptolocker.exe	85

C:\Users\Admin\AppData\Local\Temp\2024-08-08_1af0167a359181f219757d0cfd2a2ff9_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-08_1af0167a359181f219757d0cfd2a2ff9_cryptolocker.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4064
- C:\Users\Admin\AppData\Local\Temp\gewos.exe
  "C:\Users\Admin\AppData\Local\Temp\gewos.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gewos.exe

Filesize
63KB

MD5
00f9415d48eef1da8018082c5f79f68a

SHA1
16563cc528a63fc5ec41083c68b0f1207b8d90ab

SHA256
4fc7f1345062c748487d47f8b3def20a9bc36efe41e9f587b2de69c10d94096e

SHA512
608d13e9a01c6f14f0d371dacb0225e39d11f4311fcc0f2ebcf0307aad2b45375542145e5c6a031b96b327195a0bb1fd7c50f68baa71182d71bc61c37a9230f5

Download Submit
memory/1588-25-0x0000000000770000-0x0000000000776000-memory.dmp

Filesize
24KB

Download
memory/4064-0-0x00000000022D0000-0x00000000022D6000-memory.dmp

Filesize
24KB

Download
memory/4064-1-0x00000000022D0000-0x00000000022D6000-memory.dmp

Filesize
24KB

Download
memory/4064-2-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download