d9cef41bf072cbf2bac93977bb252d0e5237f32485281fb40852a7ddb2d9f987

Analysis

max time kernel
92s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 06:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-19_5cd287c0a464d3729e32ddd8a7640062_cryptolocker.exe
Size

58KB
MD5

5cd287c0a464d3729e32ddd8a7640062
SHA1

e7328cbef953695b5b139cc5ec7e4c08b7767bb7
SHA256

d9cef41bf072cbf2bac93977bb252d0e5237f32485281fb40852a7ddb2d9f987
SHA512

2d327bc3e2acb7873141f6f04116a4d403d641a2226e24c6cda79799e2a988598cf4889dde82567ca1384cd5e1114edf0dbfe90d0892042360fe796418c85232
SSDEEP

768:bP9g/WItCSsAfFaeOcfXVr3BPOz5CFBmNuFgUjlYr6:bP9g/xtCS3Dxx0LW

Score

7^/10

discovery upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	gewos.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	2024-09-19_5cd287c0a464d3729e32ddd8a7640062_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
3320	gewos.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1428-0-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/files/0x0009000000023448-13.dat	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-19_5cd287c0a464d3729e32ddd8a7640062_cryptolocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gewos.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1428 wrote to memory of 3320	1428	2024-09-19_5cd287c0a464d3729e32ddd8a7640062_cryptolocker.exe	82
PID 1428 wrote to memory of 3320	1428	2024-09-19_5cd287c0a464d3729e32ddd8a7640062_cryptolocker.exe	82
PID 1428 wrote to memory of 3320	1428	2024-09-19_5cd287c0a464d3729e32ddd8a7640062_cryptolocker.exe	82

C:\Users\Admin\AppData\Local\Temp\2024-09-19_5cd287c0a464d3729e32ddd8a7640062_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-19_5cd287c0a464d3729e32ddd8a7640062_cryptolocker.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1428
- C:\Users\Admin\AppData\Local\Temp\gewos.exe
  "C:\Users\Admin\AppData\Local\Temp\gewos.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gewos.exe

Filesize
58KB

MD5
f9f2ec13f7a9ee8ba1b2b48b9c847a29

SHA1
d27076b6347cfa65d2b0acdb8fbcff6e75fa0ae0

SHA256
5693a9e3e5399576ac2f78ff317d36ece17cb28930323df79ba450caead65c37

SHA512
80b04cda56a2fed45be8d0a1dc005abc469d0550a9652b36647689f55ad738fba83d143d2510908b8d9f55422089c7949ea29411d9e018f55a9241c3401d3a8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\gewosik.exe

Filesize
184B

MD5
f5e2c4f2fbcc93933d1a9a39a16f3ea8

SHA1
d67fafeb0f1bf084ca883209adf868779da76fcb

SHA256
9a628eeeae8f98be309094187d90c5ec165520ad14807b55d65b960a32ee5099

SHA512
5fd408408fda4e8c0e89becda77985a4428f76193f8188cfa8e51d338d62ca96b6c3f27d82f565321b4d5c7af172e5553708a85d7a4ba20069b8dbe5d6c5114d

Download Submit
memory/1428-0-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1428-1-0x0000000002240000-0x0000000002246000-memory.dmp

Filesize
24KB

Download
memory/1428-2-0x0000000002240000-0x0000000002246000-memory.dmp

Filesize
24KB

Download
memory/1428-3-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/3320-26-0x00000000021F0000-0x00000000021F6000-memory.dmp

Filesize
24KB

Download