Analysis
-
max time kernel
143s -
max time network
124s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
13-05-2021 12:55
Static task
static1
Behavioral task
behavioral1
Sample
e20e729dfedf405fca2776f0173a6dc9b76dc24c041330b9c6f7fcd9a6f2f84d.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
e20e729dfedf405fca2776f0173a6dc9b76dc24c041330b9c6f7fcd9a6f2f84d.exe
Resource
win10v20210408
General
-
Target
e20e729dfedf405fca2776f0173a6dc9b76dc24c041330b9c6f7fcd9a6f2f84d.exe
-
Size
66KB
-
MD5
bd38a4e4d4c0903e094e4742c345d737
-
SHA1
40a89d66f0a2a6033ebfc25d03913dfca5e09dd4
-
SHA256
e20e729dfedf405fca2776f0173a6dc9b76dc24c041330b9c6f7fcd9a6f2f84d
-
SHA512
5887f859e2ceda10dfd2f58997fa1920fb24f8ebaad3b29a79e8628b32cb251beaaaa924781eba604984b40dcce290d7302498aae932b19e02ab36aca24087c1
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
geshost.exepid process 1292 geshost.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1688 cmd.exe -
Drops file in Windows directory 3 IoCs
Processes:
e20e729dfedf405fca2776f0173a6dc9b76dc24c041330b9c6f7fcd9a6f2f84d.exeattrib.exedescription ioc process File created C:\Windows\Debug\geshost.exe e20e729dfedf405fca2776f0173a6dc9b76dc24c041330b9c6f7fcd9a6f2f84d.exe File opened for modification C:\Windows\Debug\geshost.exe e20e729dfedf405fca2776f0173a6dc9b76dc24c041330b9c6f7fcd9a6f2f84d.exe File opened for modification C:\Windows\Debug\geshost.exe attrib.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
geshost.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz geshost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 geshost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
e20e729dfedf405fca2776f0173a6dc9b76dc24c041330b9c6f7fcd9a6f2f84d.exedescription pid process Token: SeIncBasePriorityPrivilege 1104 e20e729dfedf405fca2776f0173a6dc9b76dc24c041330b9c6f7fcd9a6f2f84d.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
e20e729dfedf405fca2776f0173a6dc9b76dc24c041330b9c6f7fcd9a6f2f84d.exedescription pid process target process PID 1104 wrote to memory of 1208 1104 e20e729dfedf405fca2776f0173a6dc9b76dc24c041330b9c6f7fcd9a6f2f84d.exe attrib.exe PID 1104 wrote to memory of 1208 1104 e20e729dfedf405fca2776f0173a6dc9b76dc24c041330b9c6f7fcd9a6f2f84d.exe attrib.exe PID 1104 wrote to memory of 1208 1104 e20e729dfedf405fca2776f0173a6dc9b76dc24c041330b9c6f7fcd9a6f2f84d.exe attrib.exe PID 1104 wrote to memory of 1208 1104 e20e729dfedf405fca2776f0173a6dc9b76dc24c041330b9c6f7fcd9a6f2f84d.exe attrib.exe PID 1104 wrote to memory of 1688 1104 e20e729dfedf405fca2776f0173a6dc9b76dc24c041330b9c6f7fcd9a6f2f84d.exe cmd.exe PID 1104 wrote to memory of 1688 1104 e20e729dfedf405fca2776f0173a6dc9b76dc24c041330b9c6f7fcd9a6f2f84d.exe cmd.exe PID 1104 wrote to memory of 1688 1104 e20e729dfedf405fca2776f0173a6dc9b76dc24c041330b9c6f7fcd9a6f2f84d.exe cmd.exe PID 1104 wrote to memory of 1688 1104 e20e729dfedf405fca2776f0173a6dc9b76dc24c041330b9c6f7fcd9a6f2f84d.exe cmd.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e20e729dfedf405fca2776f0173a6dc9b76dc24c041330b9c6f7fcd9a6f2f84d.exe"C:\Users\Admin\AppData\Local\Temp\e20e729dfedf405fca2776f0173a6dc9b76dc24c041330b9c6f7fcd9a6f2f84d.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib +a +s +h +r C:\Windows\Debug\geshost.exe2⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\E20E72~1.EXE > nul2⤵
- Deletes itself
-
C:\Windows\Debug\geshost.exeC:\Windows\Debug\geshost.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Debug\geshost.exeMD5
59bba4b0f306ae0062b03ac307e77937
SHA196ac91a070ca839a924a29f8ad16f9ebbc8c5308
SHA2564cdf4b788e0e02883576956772002bc37b9a3cee4a763a3648c854e5c037f1ef
SHA5123914b41773b1aea97eeee35d9cfce250c3151cbabdea37cd6ed819637d25d5d0a2b435c8b8e0ae46f3685e5cc28697d06dda5ac159237d12b87f32d6b044acad
-
C:\Windows\debug\geshost.exeMD5
59bba4b0f306ae0062b03ac307e77937
SHA196ac91a070ca839a924a29f8ad16f9ebbc8c5308
SHA2564cdf4b788e0e02883576956772002bc37b9a3cee4a763a3648c854e5c037f1ef
SHA5123914b41773b1aea97eeee35d9cfce250c3151cbabdea37cd6ed819637d25d5d0a2b435c8b8e0ae46f3685e5cc28697d06dda5ac159237d12b87f32d6b044acad
-
memory/1104-59-0x0000000076E11000-0x0000000076E13000-memory.dmpFilesize
8KB
-
memory/1208-60-0x0000000000000000-mapping.dmp
-
memory/1688-64-0x0000000000000000-mapping.dmp