e20e729dfedf405fca2776f0173a6dc9b76dc24c041330b9c6f7fcd9a6f2f84d

General

Target

e20e729dfedf405fca2776f0173a6dc9b76dc24c041330b9c6f7fcd9a6f2f84d.exe
Size

66KB
MD5

bd38a4e4d4c0903e094e4742c345d737
SHA1

40a89d66f0a2a6033ebfc25d03913dfca5e09dd4
SHA256

e20e729dfedf405fca2776f0173a6dc9b76dc24c041330b9c6f7fcd9a6f2f84d
SHA512

5887f859e2ceda10dfd2f58997fa1920fb24f8ebaad3b29a79e8628b32cb251beaaaa924781eba604984b40dcce290d7302498aae932b19e02ab36aca24087c1

Score

8^/10

evasion

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

geshost.exe

pid process

1292 geshost.exe
Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1688 cmd.exe

pid	process
1292	geshost.exe

pid	process
1688	cmd.exe

Drops file in Windows directory 3 IoCs

Processes:

e20e729dfedf405fca2776f0173a6dc9b76dc24c041330b9c6f7fcd9a6f2f84d.exeattrib.exe

description	ioc	process
File created	C:\Windows\Debug\geshost.exe	e20e729dfedf405fca2776f0173a6dc9b76dc24c041330b9c6f7fcd9a6f2f84d.exe
File opened for modification	C:\Windows\Debug\geshost.exe	e20e729dfedf405fca2776f0173a6dc9b76dc24c041330b9c6f7fcd9a6f2f84d.exe
File opened for modification	C:\Windows\Debug\geshost.exe	attrib.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

geshost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	geshost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	geshost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

e20e729dfedf405fca2776f0173a6dc9b76dc24c041330b9c6f7fcd9a6f2f84d.exe

description pid process

Token: SeIncBasePriorityPrivilege 1104 e20e729dfedf405fca2776f0173a6dc9b76dc24c041330b9c6f7fcd9a6f2f84d.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	1104	e20e729dfedf405fca2776f0173a6dc9b76dc24c041330b9c6f7fcd9a6f2f84d.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

e20e729dfedf405fca2776f0173a6dc9b76dc24c041330b9c6f7fcd9a6f2f84d.exe

description	pid	process	target process
PID 1104 wrote to memory of 1208	1104	e20e729dfedf405fca2776f0173a6dc9b76dc24c041330b9c6f7fcd9a6f2f84d.exe	attrib.exe
PID 1104 wrote to memory of 1208	1104	e20e729dfedf405fca2776f0173a6dc9b76dc24c041330b9c6f7fcd9a6f2f84d.exe	attrib.exe
PID 1104 wrote to memory of 1208	1104	e20e729dfedf405fca2776f0173a6dc9b76dc24c041330b9c6f7fcd9a6f2f84d.exe	attrib.exe
PID 1104 wrote to memory of 1208	1104	e20e729dfedf405fca2776f0173a6dc9b76dc24c041330b9c6f7fcd9a6f2f84d.exe	attrib.exe
PID 1104 wrote to memory of 1688	1104	e20e729dfedf405fca2776f0173a6dc9b76dc24c041330b9c6f7fcd9a6f2f84d.exe	cmd.exe
PID 1104 wrote to memory of 1688	1104	e20e729dfedf405fca2776f0173a6dc9b76dc24c041330b9c6f7fcd9a6f2f84d.exe	cmd.exe
PID 1104 wrote to memory of 1688	1104	e20e729dfedf405fca2776f0173a6dc9b76dc24c041330b9c6f7fcd9a6f2f84d.exe	cmd.exe
PID 1104 wrote to memory of 1688	1104	e20e729dfedf405fca2776f0173a6dc9b76dc24c041330b9c6f7fcd9a6f2f84d.exe	cmd.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

1208 attrib.exe

pid	process
1208	attrib.exe

C:\Users\Admin\AppData\Local\Temp\e20e729dfedf405fca2776f0173a6dc9b76dc24c041330b9c6f7fcd9a6f2f84d.exe
"C:\Users\Admin\AppData\Local\Temp\e20e729dfedf405fca2776f0173a6dc9b76dc24c041330b9c6f7fcd9a6f2f84d.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1104

C:\Windows\SysWOW64\attrib.exe
attrib +a +s +h +r C:\Windows\Debug\geshost.exe
2⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:1208

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\E20E72~1.EXE > nul
2⤵
- Deletes itself
PID:1688

C:\Windows\Debug\geshost.exe
C:\Windows\Debug\geshost.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:1292

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

2

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

2

T1158

Credential Access

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Debug\geshost.exe
MD5
59bba4b0f306ae0062b03ac307e77937

SHA1
96ac91a070ca839a924a29f8ad16f9ebbc8c5308

SHA256
4cdf4b788e0e02883576956772002bc37b9a3cee4a763a3648c854e5c037f1ef

SHA512
3914b41773b1aea97eeee35d9cfce250c3151cbabdea37cd6ed819637d25d5d0a2b435c8b8e0ae46f3685e5cc28697d06dda5ac159237d12b87f32d6b044acad

Download Submit
C:\Windows\debug\geshost.exe
MD5
59bba4b0f306ae0062b03ac307e77937

SHA1
96ac91a070ca839a924a29f8ad16f9ebbc8c5308

SHA256
4cdf4b788e0e02883576956772002bc37b9a3cee4a763a3648c854e5c037f1ef

SHA512
3914b41773b1aea97eeee35d9cfce250c3151cbabdea37cd6ed819637d25d5d0a2b435c8b8e0ae46f3685e5cc28697d06dda5ac159237d12b87f32d6b044acad

Download Submit
memory/1104-59-0x0000000076E11000-0x0000000076E13000-memory.dmp

Filesize
8KB

Download
memory/1208-60-0x0000000000000000-mapping.dmp

Download
memory/1688-64-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads