Overview

overview

7

Static

static

3

2024-09-21...er.exe

windows7-x64

7

2024-09-21...er.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-09-2024 05:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-09-21_bca189f367c846c218012c328f1d37a5_cryptolocker.exe

  • Size

    42KB

  • MD5

    bca189f367c846c218012c328f1d37a5

  • SHA1

    265aee9ae9e76e3b58c334904853baadcedd20a6

  • SHA256

    b12a63ac85b782a4804c58f7f92761f6628e6f3bbb4a582b74bcfa0df782afc8

  • SHA512

    c9b1a16186f2d3cfb676d5b3a078a7a65a557dda2eeaf6e49e7b103a14fd96acc551b79253d25b6a675f6028618dfe418495ea4ba83931fb2f55e67f007f769a

  • SSDEEP

    384:btBYQg/WIEhUCSNyepEjYnDOAlzVol6U/zzo+tkq4l8tFFxE2B94IOMHo3sxP1TP:btB9g/WItCSsAGjX7r3BPOMHoc/QQJPZ

Score
7/10
discovery

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-21_bca189f367c846c218012c328f1d37a5_cryptolocker.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-21_bca189f367c846c218012c328f1d37a5_cryptolocker.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4508
    • C:\Users\Admin\AppData\Local\Temp\gewos.exe
      "C:\Users\Admin\AppData\Local\Temp\gewos.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:4252

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\gewos.exe
    Filesize

    42KB

    MD5

    c62343f112523e481e38dc2ee48a0566

    SHA1

    83871dd1fe858ed74fab4d97e89182e19d310f44

    SHA256

    33c1607dc7c67733e918e9702cdcaf208eebe5842974d783552a39c50c5e5297

    SHA512

    5b500cf00457fb2beb40d44efc89ca79808b168dadaaa97214496893c34167d12c4082f1fe79620a0b4b7af5fab3d85821080a26646008815a77801ed89b49fc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\gewosik.exe
    Filesize

    184B

    MD5

    c6feddfa8e7984d1772eb523d801eabe

    SHA1

    f9ae491d9d5f99fb9cdfd8a54fde56eb49f82e40

    SHA256

    5ec887edbbd61600a62f13732b8b434f8a401f1b90fcd8573325c0033ab786a1

    SHA512

    aad498d4721b2ccc6bfed3549e6e7a31944b2c9a1e46faadb6ad9872837fb7b78b0eb2c441f398e06dd11f533fdb9ad3993444d936e3bbc03e347b4b94250dd0

    Download Submit

  • memory/4252-25-0x0000000002120000-0x0000000002126000-memory.dmp

    Filesize

    24KB

    Download

  • memory/4508-0-0x0000000000730000-0x0000000000736000-memory.dmp

    Filesize

    24KB

    Download

  • memory/4508-1-0x0000000000730000-0x0000000000736000-memory.dmp

    Filesize

    24KB

    Download

  • memory/4508-2-0x0000000000400000-0x0000000000406000-memory.dmp

    Filesize

    24KB

    Download