c0e2975291c9b4b8fdf4ffb421e6847355079daae095c77204841c3753706486

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10/10/2024, 05:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-10_b01afe7f746f449fea6ba05e77f9d31c_cryptolocker.exe
Size

59KB
MD5

b01afe7f746f449fea6ba05e77f9d31c
SHA1

4a9a8774d088d1a7d86c2391d22e125ba1383530
SHA256

c0e2975291c9b4b8fdf4ffb421e6847355079daae095c77204841c3753706486
SHA512

1bdfa4962a3e662f7bff94b74634ad1a88cacbe017c40952a3be5ee446dd1fd895dacbcb86475c86803dc57e2203f929171f605a9adb1ff73e8f78ccb9d368aa
SSDEEP

768:bP9g/WItCSsAfFaeOcfXVr3BPOz5CFBmNuFgUjlgcS8:bP9g/xtCS3Dxx0g

Score

7^/10

discovery upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	2024-10-10_b01afe7f746f449fea6ba05e77f9d31c_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
1604	gewos.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/220-0-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/files/0x000a000000023cba-13.dat	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-10_b01afe7f746f449fea6ba05e77f9d31c_cryptolocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gewos.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 220 wrote to memory of 1604	220	2024-10-10_b01afe7f746f449fea6ba05e77f9d31c_cryptolocker.exe	86
PID 220 wrote to memory of 1604	220	2024-10-10_b01afe7f746f449fea6ba05e77f9d31c_cryptolocker.exe	86
PID 220 wrote to memory of 1604	220	2024-10-10_b01afe7f746f449fea6ba05e77f9d31c_cryptolocker.exe	86

C:\Users\Admin\AppData\Local\Temp\2024-10-10_b01afe7f746f449fea6ba05e77f9d31c_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-10_b01afe7f746f449fea6ba05e77f9d31c_cryptolocker.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:220
- C:\Users\Admin\AppData\Local\Temp\gewos.exe
  "C:\Users\Admin\AppData\Local\Temp\gewos.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gewos.exe

Filesize
59KB

MD5
99be0477c685504a058080f956507604

SHA1
bcde308ceeb95246319121a9d72e5f75a53abca8

SHA256
e41e70ad1c371127b75fe477e14368445cf987a29212c6b6079dffef69405a5a

SHA512
b14ba7f76d40c81fe83b9df15c4987b5d6431b37d3cf37a9d427dfd18622300e8722f0eafcb1c4ab9e8f2777badc6bf45fb9052b53f6593dc8836cfb5cc2a0d6

Download Submit
memory/220-0-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/220-1-0x00000000020A0000-0x00000000020A6000-memory.dmp

Filesize
24KB

Download
memory/220-2-0x00000000020A0000-0x00000000020A6000-memory.dmp

Filesize
24KB

Download
memory/220-3-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1604-20-0x0000000000700000-0x0000000000706000-memory.dmp

Filesize
24KB

Download