Analysis

  • max time kernel
    143s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    13-05-2021 12:55

General

  • Target

    e20e729dfedf405fca2776f0173a6dc9b76dc24c041330b9c6f7fcd9a6f2f84d.exe

  • Size

    66KB

  • MD5

    bd38a4e4d4c0903e094e4742c345d737

  • SHA1

    40a89d66f0a2a6033ebfc25d03913dfca5e09dd4

  • SHA256

    e20e729dfedf405fca2776f0173a6dc9b76dc24c041330b9c6f7fcd9a6f2f84d

  • SHA512

    5887f859e2ceda10dfd2f58997fa1920fb24f8ebaad3b29a79e8628b32cb251beaaaa924781eba604984b40dcce290d7302498aae932b19e02ab36aca24087c1

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Sets file to hidden 1 TTPs

    Modifies file attributes to stop it showing in Explorer etc.

  • Deletes itself 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e20e729dfedf405fca2776f0173a6dc9b76dc24c041330b9c6f7fcd9a6f2f84d.exe
    "C:\Users\Admin\AppData\Local\Temp\e20e729dfedf405fca2776f0173a6dc9b76dc24c041330b9c6f7fcd9a6f2f84d.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1104
    • C:\Windows\SysWOW64\attrib.exe
      attrib +a +s +h +r C:\Windows\Debug\geshost.exe
      2⤵
      • Drops file in Windows directory
      • Views/modifies file attributes
      PID:1208
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\E20E72~1.EXE > nul
      2⤵
      • Deletes itself
      PID:1688
  • C:\Windows\Debug\geshost.exe
    C:\Windows\Debug\geshost.exe
    1⤵
    • Executes dropped EXE
    • Checks processor information in registry
    PID:1292

Network

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Hidden Files and Directories

2
T1158

Defense Evasion

Hidden Files and Directories

2
T1158

Discovery

System Information Discovery

2
T1082

Query Registry

1
T1012

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Debug\geshost.exe
    MD5

    59bba4b0f306ae0062b03ac307e77937

    SHA1

    96ac91a070ca839a924a29f8ad16f9ebbc8c5308

    SHA256

    4cdf4b788e0e02883576956772002bc37b9a3cee4a763a3648c854e5c037f1ef

    SHA512

    3914b41773b1aea97eeee35d9cfce250c3151cbabdea37cd6ed819637d25d5d0a2b435c8b8e0ae46f3685e5cc28697d06dda5ac159237d12b87f32d6b044acad

  • C:\Windows\debug\geshost.exe
    MD5

    59bba4b0f306ae0062b03ac307e77937

    SHA1

    96ac91a070ca839a924a29f8ad16f9ebbc8c5308

    SHA256

    4cdf4b788e0e02883576956772002bc37b9a3cee4a763a3648c854e5c037f1ef

    SHA512

    3914b41773b1aea97eeee35d9cfce250c3151cbabdea37cd6ed819637d25d5d0a2b435c8b8e0ae46f3685e5cc28697d06dda5ac159237d12b87f32d6b044acad

  • memory/1104-59-0x0000000076E11000-0x0000000076E13000-memory.dmp
    Filesize

    8KB

  • memory/1208-60-0x0000000000000000-mapping.dmp
  • memory/1688-64-0x0000000000000000-mapping.dmp