bc36649eb089bd8d6a0a38d85d975fb8f4e875662fb381e5f5039fe759cdf473

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20/11/2024, 02:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-20_9e43b6ce4dfcb47a4527a8fb359678d0_cryptolocker.exe
Size

41KB
MD5

9e43b6ce4dfcb47a4527a8fb359678d0
SHA1

8e7479a6c74726dd563f614a8adfddbb8cc2c625
SHA256

bc36649eb089bd8d6a0a38d85d975fb8f4e875662fb381e5f5039fe759cdf473
SHA512

9d5159cffecb6609397f48932cfc0010df52dc765f53dc56a4547c7eb29cacac537a5f3144329895ddb9693f551a16eb207e8cd1e689868e82006f963962f61f
SSDEEP

768:btB9g/WItCSsAGjX7r3BPOz6rMVYsuJb5C:btB9g/xtCSKfx0q15C

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2144	gewos.exe

Loads dropped DLL 1 IoCs

pid	Process
2068	2024-11-20_9e43b6ce4dfcb47a4527a8fb359678d0_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gewos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-20_9e43b6ce4dfcb47a4527a8fb359678d0_cryptolocker.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2068	2024-11-20_9e43b6ce4dfcb47a4527a8fb359678d0_cryptolocker.exe
2144	gewos.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 2144	2068	2024-11-20_9e43b6ce4dfcb47a4527a8fb359678d0_cryptolocker.exe	30
PID 2068 wrote to memory of 2144	2068	2024-11-20_9e43b6ce4dfcb47a4527a8fb359678d0_cryptolocker.exe	30
PID 2068 wrote to memory of 2144	2068	2024-11-20_9e43b6ce4dfcb47a4527a8fb359678d0_cryptolocker.exe	30
PID 2068 wrote to memory of 2144	2068	2024-11-20_9e43b6ce4dfcb47a4527a8fb359678d0_cryptolocker.exe	30

C:\Users\Admin\AppData\Local\Temp\2024-11-20_9e43b6ce4dfcb47a4527a8fb359678d0_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-20_9e43b6ce4dfcb47a4527a8fb359678d0_cryptolocker.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Users\Admin\AppData\Local\Temp\gewos.exe
  "C:\Users\Admin\AppData\Local\Temp\gewos.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of UnmapMainImage
  PID:2144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\gewos.exe

Filesize
42KB

MD5
4daba4baeca8d243c87e082c1cadeeaf

SHA1
2664d775afb2e451ef6707896346aeb592ab3e99

SHA256
a8be44107440a8096d47402f4410e802068ddd435837295416b694673569716c

SHA512
385e5449934838a168c1feb374667a33acf4a8fe8674e7524d5c3e4e5a6eb8c7cf0ab86e3e82604b7f6d9c988734a4b31b5337fc4585e0056fc262f7f3e231e4

Download Submit
memory/2068-8-0x00000000005A0000-0x00000000005A6000-memory.dmp

Filesize
24KB

Download
memory/2068-1-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2068-0-0x00000000005A0000-0x00000000005A6000-memory.dmp

Filesize
24KB

Download
memory/2144-23-0x00000000005B0000-0x00000000005B6000-memory.dmp

Filesize
24KB

Download