Overview

overview

7

Static

static

3

2024-09-19...er.exe

windows7-x64

7

2024-09-19...er.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/09/2024, 14:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-09-19_6582620fdedb8e663f032d0fa7fb2763_cryptolocker.exe

  • Size

    34KB

  • MD5

    6582620fdedb8e663f032d0fa7fb2763

  • SHA1

    95914df6778ed0b005705c5074c562dd69195730

  • SHA256

    bc467f00945a78f3b3c164a4d8696766763ba22cb71313f08c1a4c1ff8f297fa

  • SHA512

    c4638f6ad736e51e19284dedc59398d87a962ca796bc83e9ae040de695355a17ddf63716784d7d7deed6e5aa2a45cbd87916cce216d8d5c864b7d1270ff94b3c

  • SSDEEP

    384:btBYQg/WIEhUCSNyepEjYnDOAlzVol6U/zzo+tkq4XDIwNiA0h:btB9g/WItCSsAGjX7e9N2

Score
7/10
discovery

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-19_6582620fdedb8e663f032d0fa7fb2763_cryptolocker.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-19_6582620fdedb8e663f032d0fa7fb2763_cryptolocker.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4000
    • C:\Users\Admin\AppData\Local\Temp\gewos.exe
      "C:\Users\Admin\AppData\Local\Temp\gewos.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:4680

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\gewos.exe
    Filesize

    34KB

    MD5

    c0de0ae59ab4aa1ed4b599d3c111e899

    SHA1

    714600ab4f2297499a7b4bf8764e8b07f32b7257

    SHA256

    fde427515ae1ed1dc757bb75c9448f76650577b429f093a796e66593bc7ab17a

    SHA512

    e41975e654beaf6d14bd1fed11c9ea0aa3b175f7d97387ef685ecb88ff9f9facd588784919c0c0cf7e3715a4440fe3ad57bedf57ce54f095b695582f43651a44

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\gewosik.exe
    Filesize

    184B

    MD5

    7a48fe67c630615cb4d7fb9fc491f8b0

    SHA1

    930d573ee3dbe62524ace1c5755ce45ba90dcb3b

    SHA256

    bbc82b607662e86ed15b10f08009800f096a5d23b41a0a124542335ad4d14033

    SHA512

    4e7a8cb42c351ea8f4b2003f79ad1e8fec82274b448060459662a7c22803b7ab2f33a8e54af3250b4c8d86f828c52207b1807a0e074401488ea320a2bc66f9dd

    Download Submit

  • memory/4000-0-0x0000000002200000-0x0000000002206000-memory.dmp

    Filesize

    24KB

    Download

  • memory/4000-1-0x0000000002200000-0x0000000002206000-memory.dmp

    Filesize

    24KB

    Download

  • memory/4000-2-0x0000000000400000-0x0000000000406000-memory.dmp

    Filesize

    24KB

    Download

  • memory/4680-25-0x0000000002D50000-0x0000000002D56000-memory.dmp

    Filesize

    24KB

    Download