Analysis
-
max time kernel
196s -
max time network
199s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 23:46
Static task
static1
Behavioral task
behavioral1
Sample
57ea796132c2aaab208d837a2405013f5aff35f7808db136032540ca5af6388f.exe
Resource
win7-20220414-en
General
-
Target
57ea796132c2aaab208d837a2405013f5aff35f7808db136032540ca5af6388f.exe
-
Size
541KB
-
MD5
60a23c51894524a344bfecab6532dc7f
-
SHA1
fb84a84cb7e6ce0ecf8fc75ffcf162ddcaffcdd7
-
SHA256
57ea796132c2aaab208d837a2405013f5aff35f7808db136032540ca5af6388f
-
SHA512
a43f13af5fc0beeec1802a8541cd79104766e82b4770221e0e8bfe78df48b04267d0b777a457badee7a548d90bcd7786048e616e666e566a80e20d8cf4a3ca52
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
Gekon.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDC1SC\\msd1csc.exe" Gekon.exe -
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
msd1csc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile msd1csc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" msd1csc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" msd1csc.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
msd1csc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" msd1csc.exe -
Disables Task Manager via registry modification
-
Executes dropped EXE 2 IoCs
Processes:
Gekon.exemsd1csc.exepid process 520 Gekon.exe 1676 msd1csc.exe -
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\Gekon.exe upx \Users\Admin\AppData\Roaming\Gekon.exe upx \Users\Admin\AppData\Roaming\Gekon.exe upx \Users\Admin\AppData\Roaming\Gekon.exe upx \Users\Admin\AppData\Roaming\Gekon.exe upx C:\Users\Admin\AppData\Roaming\Gekon.exe upx C:\Users\Admin\AppData\Roaming\Gekon.exe upx \Users\Admin\AppData\Local\Temp\MSDC1SC\msd1csc.exe upx \Users\Admin\AppData\Local\Temp\MSDC1SC\msd1csc.exe upx C:\Users\Admin\AppData\Local\Temp\MSDC1SC\msd1csc.exe upx C:\Users\Admin\AppData\Local\Temp\MSDC1SC\msd1csc.exe upx -
Loads dropped DLL 7 IoCs
Processes:
57ea796132c2aaab208d837a2405013f5aff35f7808db136032540ca5af6388f.exeGekon.exepid process 1988 57ea796132c2aaab208d837a2405013f5aff35f7808db136032540ca5af6388f.exe 1988 57ea796132c2aaab208d837a2405013f5aff35f7808db136032540ca5af6388f.exe 1988 57ea796132c2aaab208d837a2405013f5aff35f7808db136032540ca5af6388f.exe 1988 57ea796132c2aaab208d837a2405013f5aff35f7808db136032540ca5af6388f.exe 1988 57ea796132c2aaab208d837a2405013f5aff35f7808db136032540ca5af6388f.exe 520 Gekon.exe 520 Gekon.exe -
Processes:
msd1csc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msd1csc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msd1csc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
msd1csc.exeGekon.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDC1SC\\msd1csc.exe" msd1csc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDC1SC\\msd1csc.exe" Gekon.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msd1csc.exepid process 1676 msd1csc.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
Gekon.exemsd1csc.exedescription pid process Token: SeIncreaseQuotaPrivilege 520 Gekon.exe Token: SeSecurityPrivilege 520 Gekon.exe Token: SeTakeOwnershipPrivilege 520 Gekon.exe Token: SeLoadDriverPrivilege 520 Gekon.exe Token: SeSystemProfilePrivilege 520 Gekon.exe Token: SeSystemtimePrivilege 520 Gekon.exe Token: SeProfSingleProcessPrivilege 520 Gekon.exe Token: SeIncBasePriorityPrivilege 520 Gekon.exe Token: SeCreatePagefilePrivilege 520 Gekon.exe Token: SeBackupPrivilege 520 Gekon.exe Token: SeRestorePrivilege 520 Gekon.exe Token: SeShutdownPrivilege 520 Gekon.exe Token: SeDebugPrivilege 520 Gekon.exe Token: SeSystemEnvironmentPrivilege 520 Gekon.exe Token: SeChangeNotifyPrivilege 520 Gekon.exe Token: SeRemoteShutdownPrivilege 520 Gekon.exe Token: SeUndockPrivilege 520 Gekon.exe Token: SeManageVolumePrivilege 520 Gekon.exe Token: SeImpersonatePrivilege 520 Gekon.exe Token: SeCreateGlobalPrivilege 520 Gekon.exe Token: 33 520 Gekon.exe Token: 34 520 Gekon.exe Token: 35 520 Gekon.exe Token: SeIncreaseQuotaPrivilege 1676 msd1csc.exe Token: SeSecurityPrivilege 1676 msd1csc.exe Token: SeTakeOwnershipPrivilege 1676 msd1csc.exe Token: SeLoadDriverPrivilege 1676 msd1csc.exe Token: SeSystemProfilePrivilege 1676 msd1csc.exe Token: SeSystemtimePrivilege 1676 msd1csc.exe Token: SeProfSingleProcessPrivilege 1676 msd1csc.exe Token: SeIncBasePriorityPrivilege 1676 msd1csc.exe Token: SeCreatePagefilePrivilege 1676 msd1csc.exe Token: SeBackupPrivilege 1676 msd1csc.exe Token: SeRestorePrivilege 1676 msd1csc.exe Token: SeShutdownPrivilege 1676 msd1csc.exe Token: SeDebugPrivilege 1676 msd1csc.exe Token: SeSystemEnvironmentPrivilege 1676 msd1csc.exe Token: SeChangeNotifyPrivilege 1676 msd1csc.exe Token: SeRemoteShutdownPrivilege 1676 msd1csc.exe Token: SeUndockPrivilege 1676 msd1csc.exe Token: SeManageVolumePrivilege 1676 msd1csc.exe Token: SeImpersonatePrivilege 1676 msd1csc.exe Token: SeCreateGlobalPrivilege 1676 msd1csc.exe Token: 33 1676 msd1csc.exe Token: 34 1676 msd1csc.exe Token: 35 1676 msd1csc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msd1csc.exepid process 1676 msd1csc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
57ea796132c2aaab208d837a2405013f5aff35f7808db136032540ca5af6388f.exeGekon.execmd.execmd.exemsd1csc.exedescription pid process target process PID 1988 wrote to memory of 520 1988 57ea796132c2aaab208d837a2405013f5aff35f7808db136032540ca5af6388f.exe Gekon.exe PID 1988 wrote to memory of 520 1988 57ea796132c2aaab208d837a2405013f5aff35f7808db136032540ca5af6388f.exe Gekon.exe PID 1988 wrote to memory of 520 1988 57ea796132c2aaab208d837a2405013f5aff35f7808db136032540ca5af6388f.exe Gekon.exe PID 1988 wrote to memory of 520 1988 57ea796132c2aaab208d837a2405013f5aff35f7808db136032540ca5af6388f.exe Gekon.exe PID 520 wrote to memory of 588 520 Gekon.exe cmd.exe PID 520 wrote to memory of 588 520 Gekon.exe cmd.exe PID 520 wrote to memory of 588 520 Gekon.exe cmd.exe PID 520 wrote to memory of 588 520 Gekon.exe cmd.exe PID 520 wrote to memory of 1648 520 Gekon.exe cmd.exe PID 520 wrote to memory of 1648 520 Gekon.exe cmd.exe PID 520 wrote to memory of 1648 520 Gekon.exe cmd.exe PID 520 wrote to memory of 1648 520 Gekon.exe cmd.exe PID 520 wrote to memory of 328 520 Gekon.exe notepad.exe PID 520 wrote to memory of 328 520 Gekon.exe notepad.exe PID 520 wrote to memory of 328 520 Gekon.exe notepad.exe PID 520 wrote to memory of 328 520 Gekon.exe notepad.exe PID 520 wrote to memory of 328 520 Gekon.exe notepad.exe PID 520 wrote to memory of 328 520 Gekon.exe notepad.exe PID 520 wrote to memory of 328 520 Gekon.exe notepad.exe PID 520 wrote to memory of 328 520 Gekon.exe notepad.exe PID 520 wrote to memory of 328 520 Gekon.exe notepad.exe PID 520 wrote to memory of 328 520 Gekon.exe notepad.exe PID 520 wrote to memory of 328 520 Gekon.exe notepad.exe PID 520 wrote to memory of 328 520 Gekon.exe notepad.exe PID 520 wrote to memory of 328 520 Gekon.exe notepad.exe PID 520 wrote to memory of 328 520 Gekon.exe notepad.exe PID 520 wrote to memory of 328 520 Gekon.exe notepad.exe PID 520 wrote to memory of 328 520 Gekon.exe notepad.exe PID 520 wrote to memory of 328 520 Gekon.exe notepad.exe PID 520 wrote to memory of 328 520 Gekon.exe notepad.exe PID 588 wrote to memory of 1052 588 cmd.exe attrib.exe PID 588 wrote to memory of 1052 588 cmd.exe attrib.exe PID 588 wrote to memory of 1052 588 cmd.exe attrib.exe PID 588 wrote to memory of 1052 588 cmd.exe attrib.exe PID 1648 wrote to memory of 268 1648 cmd.exe attrib.exe PID 1648 wrote to memory of 268 1648 cmd.exe attrib.exe PID 1648 wrote to memory of 268 1648 cmd.exe attrib.exe PID 1648 wrote to memory of 268 1648 cmd.exe attrib.exe PID 520 wrote to memory of 1676 520 Gekon.exe msd1csc.exe PID 520 wrote to memory of 1676 520 Gekon.exe msd1csc.exe PID 520 wrote to memory of 1676 520 Gekon.exe msd1csc.exe PID 520 wrote to memory of 1676 520 Gekon.exe msd1csc.exe PID 1676 wrote to memory of 1940 1676 msd1csc.exe notepad.exe PID 1676 wrote to memory of 1940 1676 msd1csc.exe notepad.exe PID 1676 wrote to memory of 1940 1676 msd1csc.exe notepad.exe PID 1676 wrote to memory of 1940 1676 msd1csc.exe notepad.exe PID 1676 wrote to memory of 1940 1676 msd1csc.exe notepad.exe PID 1676 wrote to memory of 1940 1676 msd1csc.exe notepad.exe PID 1676 wrote to memory of 1940 1676 msd1csc.exe notepad.exe PID 1676 wrote to memory of 1940 1676 msd1csc.exe notepad.exe PID 1676 wrote to memory of 1940 1676 msd1csc.exe notepad.exe PID 1676 wrote to memory of 1940 1676 msd1csc.exe notepad.exe PID 1676 wrote to memory of 1940 1676 msd1csc.exe notepad.exe PID 1676 wrote to memory of 1940 1676 msd1csc.exe notepad.exe PID 1676 wrote to memory of 1940 1676 msd1csc.exe notepad.exe PID 1676 wrote to memory of 1940 1676 msd1csc.exe notepad.exe PID 1676 wrote to memory of 1940 1676 msd1csc.exe notepad.exe PID 1676 wrote to memory of 1940 1676 msd1csc.exe notepad.exe PID 1676 wrote to memory of 1940 1676 msd1csc.exe notepad.exe PID 1676 wrote to memory of 1940 1676 msd1csc.exe notepad.exe PID 1676 wrote to memory of 1940 1676 msd1csc.exe notepad.exe PID 1676 wrote to memory of 1940 1676 msd1csc.exe notepad.exe PID 1676 wrote to memory of 1940 1676 msd1csc.exe notepad.exe PID 1676 wrote to memory of 1940 1676 msd1csc.exe notepad.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
msd1csc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion msd1csc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern msd1csc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" msd1csc.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 1052 attrib.exe 268 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\57ea796132c2aaab208d837a2405013f5aff35f7808db136032540ca5af6388f.exe"C:\Users\Admin\AppData\Local\Temp\57ea796132c2aaab208d837a2405013f5aff35f7808db136032540ca5af6388f.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Gekon.exe"C:\Users\Admin\AppData\Roaming\Gekon.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\Gekon.exe" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Roaming\Gekon.exe" +s +h4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Roaming" +s +h4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
-
C:\Users\Admin\AppData\Local\Temp\MSDC1SC\msd1csc.exe"C:\Users\Admin\AppData\Local\Temp\MSDC1SC\msd1csc.exe"3⤵
- Modifies firewall policy service
- Modifies security service
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\notepad.exenotepad4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MSDC1SC\msd1csc.exeFilesize
252KB
MD56f648790e3f364b7885b15a75dc84e90
SHA11e53de6d72c77796efc313becf40575cf0a464db
SHA25630bcb57982cf131921d229ea13f6b1086bdd722266fde287609a31fb1896184a
SHA5128bb05a9d42e65016fe171cd3d6ed38c06c7b990aad3efdb5494bd89dd29b2031b3bce3aeb4f4999052a4a6ba95a18465da15203fd599dd35935b7fd432d0aa40
-
C:\Users\Admin\AppData\Local\Temp\MSDC1SC\msd1csc.exeFilesize
252KB
MD56f648790e3f364b7885b15a75dc84e90
SHA11e53de6d72c77796efc313becf40575cf0a464db
SHA25630bcb57982cf131921d229ea13f6b1086bdd722266fde287609a31fb1896184a
SHA5128bb05a9d42e65016fe171cd3d6ed38c06c7b990aad3efdb5494bd89dd29b2031b3bce3aeb4f4999052a4a6ba95a18465da15203fd599dd35935b7fd432d0aa40
-
C:\Users\Admin\AppData\Roaming\Gekon.exeFilesize
252KB
MD56f648790e3f364b7885b15a75dc84e90
SHA11e53de6d72c77796efc313becf40575cf0a464db
SHA25630bcb57982cf131921d229ea13f6b1086bdd722266fde287609a31fb1896184a
SHA5128bb05a9d42e65016fe171cd3d6ed38c06c7b990aad3efdb5494bd89dd29b2031b3bce3aeb4f4999052a4a6ba95a18465da15203fd599dd35935b7fd432d0aa40
-
C:\Users\Admin\AppData\Roaming\Gekon.exeFilesize
252KB
MD56f648790e3f364b7885b15a75dc84e90
SHA11e53de6d72c77796efc313becf40575cf0a464db
SHA25630bcb57982cf131921d229ea13f6b1086bdd722266fde287609a31fb1896184a
SHA5128bb05a9d42e65016fe171cd3d6ed38c06c7b990aad3efdb5494bd89dd29b2031b3bce3aeb4f4999052a4a6ba95a18465da15203fd599dd35935b7fd432d0aa40
-
\Users\Admin\AppData\Local\Temp\MSDC1SC\msd1csc.exeFilesize
252KB
MD56f648790e3f364b7885b15a75dc84e90
SHA11e53de6d72c77796efc313becf40575cf0a464db
SHA25630bcb57982cf131921d229ea13f6b1086bdd722266fde287609a31fb1896184a
SHA5128bb05a9d42e65016fe171cd3d6ed38c06c7b990aad3efdb5494bd89dd29b2031b3bce3aeb4f4999052a4a6ba95a18465da15203fd599dd35935b7fd432d0aa40
-
\Users\Admin\AppData\Local\Temp\MSDC1SC\msd1csc.exeFilesize
252KB
MD56f648790e3f364b7885b15a75dc84e90
SHA11e53de6d72c77796efc313becf40575cf0a464db
SHA25630bcb57982cf131921d229ea13f6b1086bdd722266fde287609a31fb1896184a
SHA5128bb05a9d42e65016fe171cd3d6ed38c06c7b990aad3efdb5494bd89dd29b2031b3bce3aeb4f4999052a4a6ba95a18465da15203fd599dd35935b7fd432d0aa40
-
\Users\Admin\AppData\Roaming\Gekon.exeFilesize
252KB
MD56f648790e3f364b7885b15a75dc84e90
SHA11e53de6d72c77796efc313becf40575cf0a464db
SHA25630bcb57982cf131921d229ea13f6b1086bdd722266fde287609a31fb1896184a
SHA5128bb05a9d42e65016fe171cd3d6ed38c06c7b990aad3efdb5494bd89dd29b2031b3bce3aeb4f4999052a4a6ba95a18465da15203fd599dd35935b7fd432d0aa40
-
\Users\Admin\AppData\Roaming\Gekon.exeFilesize
252KB
MD56f648790e3f364b7885b15a75dc84e90
SHA11e53de6d72c77796efc313becf40575cf0a464db
SHA25630bcb57982cf131921d229ea13f6b1086bdd722266fde287609a31fb1896184a
SHA5128bb05a9d42e65016fe171cd3d6ed38c06c7b990aad3efdb5494bd89dd29b2031b3bce3aeb4f4999052a4a6ba95a18465da15203fd599dd35935b7fd432d0aa40
-
\Users\Admin\AppData\Roaming\Gekon.exeFilesize
252KB
MD56f648790e3f364b7885b15a75dc84e90
SHA11e53de6d72c77796efc313becf40575cf0a464db
SHA25630bcb57982cf131921d229ea13f6b1086bdd722266fde287609a31fb1896184a
SHA5128bb05a9d42e65016fe171cd3d6ed38c06c7b990aad3efdb5494bd89dd29b2031b3bce3aeb4f4999052a4a6ba95a18465da15203fd599dd35935b7fd432d0aa40
-
\Users\Admin\AppData\Roaming\Gekon.exeFilesize
252KB
MD56f648790e3f364b7885b15a75dc84e90
SHA11e53de6d72c77796efc313becf40575cf0a464db
SHA25630bcb57982cf131921d229ea13f6b1086bdd722266fde287609a31fb1896184a
SHA5128bb05a9d42e65016fe171cd3d6ed38c06c7b990aad3efdb5494bd89dd29b2031b3bce3aeb4f4999052a4a6ba95a18465da15203fd599dd35935b7fd432d0aa40
-
\Users\Admin\AppData\Roaming\Gekon.exeFilesize
252KB
MD56f648790e3f364b7885b15a75dc84e90
SHA11e53de6d72c77796efc313becf40575cf0a464db
SHA25630bcb57982cf131921d229ea13f6b1086bdd722266fde287609a31fb1896184a
SHA5128bb05a9d42e65016fe171cd3d6ed38c06c7b990aad3efdb5494bd89dd29b2031b3bce3aeb4f4999052a4a6ba95a18465da15203fd599dd35935b7fd432d0aa40
-
memory/268-68-0x0000000000000000-mapping.dmp
-
memory/328-66-0x0000000000000000-mapping.dmp
-
memory/520-60-0x0000000000000000-mapping.dmp
-
memory/588-64-0x0000000000000000-mapping.dmp
-
memory/1052-67-0x0000000000000000-mapping.dmp
-
memory/1648-65-0x0000000000000000-mapping.dmp
-
memory/1676-72-0x0000000000000000-mapping.dmp
-
memory/1940-76-0x0000000000000000-mapping.dmp
-
memory/1988-54-0x00000000754A1000-0x00000000754A3000-memory.dmpFilesize
8KB