Analysis
-
max time kernel
190s -
max time network
194s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 23:46
Static task
static1
Behavioral task
behavioral1
Sample
57ea796132c2aaab208d837a2405013f5aff35f7808db136032540ca5af6388f.exe
Resource
win7-20220414-en
General
-
Target
57ea796132c2aaab208d837a2405013f5aff35f7808db136032540ca5af6388f.exe
-
Size
541KB
-
MD5
60a23c51894524a344bfecab6532dc7f
-
SHA1
fb84a84cb7e6ce0ecf8fc75ffcf162ddcaffcdd7
-
SHA256
57ea796132c2aaab208d837a2405013f5aff35f7808db136032540ca5af6388f
-
SHA512
a43f13af5fc0beeec1802a8541cd79104766e82b4770221e0e8bfe78df48b04267d0b777a457badee7a548d90bcd7786048e616e666e566a80e20d8cf4a3ca52
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
Gekon.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDC1SC\\msd1csc.exe" Gekon.exe -
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
msd1csc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" msd1csc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" msd1csc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile msd1csc.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
msd1csc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" msd1csc.exe -
Disables Task Manager via registry modification
-
Executes dropped EXE 2 IoCs
Processes:
Gekon.exemsd1csc.exepid process 3268 Gekon.exe 636 msd1csc.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Gekon.exe upx C:\Users\Admin\AppData\Roaming\Gekon.exe upx C:\Users\Admin\AppData\Local\Temp\MSDC1SC\msd1csc.exe upx C:\Users\Admin\AppData\Local\Temp\MSDC1SC\msd1csc.exe upx -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
57ea796132c2aaab208d837a2405013f5aff35f7808db136032540ca5af6388f.exeGekon.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation 57ea796132c2aaab208d837a2405013f5aff35f7808db136032540ca5af6388f.exe Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation Gekon.exe -
Processes:
msd1csc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msd1csc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msd1csc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Gekon.exemsd1csc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDC1SC\\msd1csc.exe" Gekon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDC1SC\\msd1csc.exe" msd1csc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
Gekon.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Gekon.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msd1csc.exepid process 636 msd1csc.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
Gekon.exemsd1csc.exedescription pid process Token: SeIncreaseQuotaPrivilege 3268 Gekon.exe Token: SeSecurityPrivilege 3268 Gekon.exe Token: SeTakeOwnershipPrivilege 3268 Gekon.exe Token: SeLoadDriverPrivilege 3268 Gekon.exe Token: SeSystemProfilePrivilege 3268 Gekon.exe Token: SeSystemtimePrivilege 3268 Gekon.exe Token: SeProfSingleProcessPrivilege 3268 Gekon.exe Token: SeIncBasePriorityPrivilege 3268 Gekon.exe Token: SeCreatePagefilePrivilege 3268 Gekon.exe Token: SeBackupPrivilege 3268 Gekon.exe Token: SeRestorePrivilege 3268 Gekon.exe Token: SeShutdownPrivilege 3268 Gekon.exe Token: SeDebugPrivilege 3268 Gekon.exe Token: SeSystemEnvironmentPrivilege 3268 Gekon.exe Token: SeChangeNotifyPrivilege 3268 Gekon.exe Token: SeRemoteShutdownPrivilege 3268 Gekon.exe Token: SeUndockPrivilege 3268 Gekon.exe Token: SeManageVolumePrivilege 3268 Gekon.exe Token: SeImpersonatePrivilege 3268 Gekon.exe Token: SeCreateGlobalPrivilege 3268 Gekon.exe Token: 33 3268 Gekon.exe Token: 34 3268 Gekon.exe Token: 35 3268 Gekon.exe Token: 36 3268 Gekon.exe Token: SeIncreaseQuotaPrivilege 636 msd1csc.exe Token: SeSecurityPrivilege 636 msd1csc.exe Token: SeTakeOwnershipPrivilege 636 msd1csc.exe Token: SeLoadDriverPrivilege 636 msd1csc.exe Token: SeSystemProfilePrivilege 636 msd1csc.exe Token: SeSystemtimePrivilege 636 msd1csc.exe Token: SeProfSingleProcessPrivilege 636 msd1csc.exe Token: SeIncBasePriorityPrivilege 636 msd1csc.exe Token: SeCreatePagefilePrivilege 636 msd1csc.exe Token: SeBackupPrivilege 636 msd1csc.exe Token: SeRestorePrivilege 636 msd1csc.exe Token: SeShutdownPrivilege 636 msd1csc.exe Token: SeDebugPrivilege 636 msd1csc.exe Token: SeSystemEnvironmentPrivilege 636 msd1csc.exe Token: SeChangeNotifyPrivilege 636 msd1csc.exe Token: SeRemoteShutdownPrivilege 636 msd1csc.exe Token: SeUndockPrivilege 636 msd1csc.exe Token: SeManageVolumePrivilege 636 msd1csc.exe Token: SeImpersonatePrivilege 636 msd1csc.exe Token: SeCreateGlobalPrivilege 636 msd1csc.exe Token: 33 636 msd1csc.exe Token: 34 636 msd1csc.exe Token: 35 636 msd1csc.exe Token: 36 636 msd1csc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msd1csc.exepid process 636 msd1csc.exe -
Suspicious use of WriteProcessMemory 57 IoCs
Processes:
57ea796132c2aaab208d837a2405013f5aff35f7808db136032540ca5af6388f.exeGekon.execmd.execmd.exemsd1csc.exedescription pid process target process PID 2252 wrote to memory of 3268 2252 57ea796132c2aaab208d837a2405013f5aff35f7808db136032540ca5af6388f.exe Gekon.exe PID 2252 wrote to memory of 3268 2252 57ea796132c2aaab208d837a2405013f5aff35f7808db136032540ca5af6388f.exe Gekon.exe PID 2252 wrote to memory of 3268 2252 57ea796132c2aaab208d837a2405013f5aff35f7808db136032540ca5af6388f.exe Gekon.exe PID 3268 wrote to memory of 3396 3268 Gekon.exe cmd.exe PID 3268 wrote to memory of 3396 3268 Gekon.exe cmd.exe PID 3268 wrote to memory of 3396 3268 Gekon.exe cmd.exe PID 3268 wrote to memory of 4376 3268 Gekon.exe cmd.exe PID 3268 wrote to memory of 4376 3268 Gekon.exe cmd.exe PID 3268 wrote to memory of 4376 3268 Gekon.exe cmd.exe PID 3396 wrote to memory of 3800 3396 cmd.exe attrib.exe PID 3396 wrote to memory of 3800 3396 cmd.exe attrib.exe PID 3396 wrote to memory of 3800 3396 cmd.exe attrib.exe PID 4376 wrote to memory of 4520 4376 cmd.exe attrib.exe PID 4376 wrote to memory of 4520 4376 cmd.exe attrib.exe PID 4376 wrote to memory of 4520 4376 cmd.exe attrib.exe PID 3268 wrote to memory of 2248 3268 Gekon.exe notepad.exe PID 3268 wrote to memory of 2248 3268 Gekon.exe notepad.exe PID 3268 wrote to memory of 2248 3268 Gekon.exe notepad.exe PID 3268 wrote to memory of 2248 3268 Gekon.exe notepad.exe PID 3268 wrote to memory of 2248 3268 Gekon.exe notepad.exe PID 3268 wrote to memory of 2248 3268 Gekon.exe notepad.exe PID 3268 wrote to memory of 2248 3268 Gekon.exe notepad.exe PID 3268 wrote to memory of 2248 3268 Gekon.exe notepad.exe PID 3268 wrote to memory of 2248 3268 Gekon.exe notepad.exe PID 3268 wrote to memory of 2248 3268 Gekon.exe notepad.exe PID 3268 wrote to memory of 2248 3268 Gekon.exe notepad.exe PID 3268 wrote to memory of 2248 3268 Gekon.exe notepad.exe PID 3268 wrote to memory of 2248 3268 Gekon.exe notepad.exe PID 3268 wrote to memory of 2248 3268 Gekon.exe notepad.exe PID 3268 wrote to memory of 2248 3268 Gekon.exe notepad.exe PID 3268 wrote to memory of 2248 3268 Gekon.exe notepad.exe PID 3268 wrote to memory of 2248 3268 Gekon.exe notepad.exe PID 3268 wrote to memory of 636 3268 Gekon.exe msd1csc.exe PID 3268 wrote to memory of 636 3268 Gekon.exe msd1csc.exe PID 3268 wrote to memory of 636 3268 Gekon.exe msd1csc.exe PID 636 wrote to memory of 4944 636 msd1csc.exe notepad.exe PID 636 wrote to memory of 4944 636 msd1csc.exe notepad.exe PID 636 wrote to memory of 4944 636 msd1csc.exe notepad.exe PID 636 wrote to memory of 4944 636 msd1csc.exe notepad.exe PID 636 wrote to memory of 4944 636 msd1csc.exe notepad.exe PID 636 wrote to memory of 4944 636 msd1csc.exe notepad.exe PID 636 wrote to memory of 4944 636 msd1csc.exe notepad.exe PID 636 wrote to memory of 4944 636 msd1csc.exe notepad.exe PID 636 wrote to memory of 4944 636 msd1csc.exe notepad.exe PID 636 wrote to memory of 4944 636 msd1csc.exe notepad.exe PID 636 wrote to memory of 4944 636 msd1csc.exe notepad.exe PID 636 wrote to memory of 4944 636 msd1csc.exe notepad.exe PID 636 wrote to memory of 4944 636 msd1csc.exe notepad.exe PID 636 wrote to memory of 4944 636 msd1csc.exe notepad.exe PID 636 wrote to memory of 4944 636 msd1csc.exe notepad.exe PID 636 wrote to memory of 4944 636 msd1csc.exe notepad.exe PID 636 wrote to memory of 4944 636 msd1csc.exe notepad.exe PID 636 wrote to memory of 4944 636 msd1csc.exe notepad.exe PID 636 wrote to memory of 4944 636 msd1csc.exe notepad.exe PID 636 wrote to memory of 4944 636 msd1csc.exe notepad.exe PID 636 wrote to memory of 4944 636 msd1csc.exe notepad.exe PID 636 wrote to memory of 4944 636 msd1csc.exe notepad.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
msd1csc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion msd1csc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern msd1csc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" msd1csc.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 3800 attrib.exe 4520 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\57ea796132c2aaab208d837a2405013f5aff35f7808db136032540ca5af6388f.exe"C:\Users\Admin\AppData\Local\Temp\57ea796132c2aaab208d837a2405013f5aff35f7808db136032540ca5af6388f.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Gekon.exe"C:\Users\Admin\AppData\Roaming\Gekon.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\Gekon.exe" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Roaming\Gekon.exe" +s +h4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Roaming" +s +h4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
-
C:\Users\Admin\AppData\Local\Temp\MSDC1SC\msd1csc.exe"C:\Users\Admin\AppData\Local\Temp\MSDC1SC\msd1csc.exe"3⤵
- Modifies firewall policy service
- Modifies security service
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\notepad.exenotepad4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MSDC1SC\msd1csc.exeFilesize
252KB
MD56f648790e3f364b7885b15a75dc84e90
SHA11e53de6d72c77796efc313becf40575cf0a464db
SHA25630bcb57982cf131921d229ea13f6b1086bdd722266fde287609a31fb1896184a
SHA5128bb05a9d42e65016fe171cd3d6ed38c06c7b990aad3efdb5494bd89dd29b2031b3bce3aeb4f4999052a4a6ba95a18465da15203fd599dd35935b7fd432d0aa40
-
C:\Users\Admin\AppData\Local\Temp\MSDC1SC\msd1csc.exeFilesize
252KB
MD56f648790e3f364b7885b15a75dc84e90
SHA11e53de6d72c77796efc313becf40575cf0a464db
SHA25630bcb57982cf131921d229ea13f6b1086bdd722266fde287609a31fb1896184a
SHA5128bb05a9d42e65016fe171cd3d6ed38c06c7b990aad3efdb5494bd89dd29b2031b3bce3aeb4f4999052a4a6ba95a18465da15203fd599dd35935b7fd432d0aa40
-
C:\Users\Admin\AppData\Roaming\Gekon.exeFilesize
252KB
MD56f648790e3f364b7885b15a75dc84e90
SHA11e53de6d72c77796efc313becf40575cf0a464db
SHA25630bcb57982cf131921d229ea13f6b1086bdd722266fde287609a31fb1896184a
SHA5128bb05a9d42e65016fe171cd3d6ed38c06c7b990aad3efdb5494bd89dd29b2031b3bce3aeb4f4999052a4a6ba95a18465da15203fd599dd35935b7fd432d0aa40
-
C:\Users\Admin\AppData\Roaming\Gekon.exeFilesize
252KB
MD56f648790e3f364b7885b15a75dc84e90
SHA11e53de6d72c77796efc313becf40575cf0a464db
SHA25630bcb57982cf131921d229ea13f6b1086bdd722266fde287609a31fb1896184a
SHA5128bb05a9d42e65016fe171cd3d6ed38c06c7b990aad3efdb5494bd89dd29b2031b3bce3aeb4f4999052a4a6ba95a18465da15203fd599dd35935b7fd432d0aa40
-
memory/636-138-0x0000000000000000-mapping.dmp
-
memory/2248-137-0x0000000000000000-mapping.dmp
-
memory/3268-130-0x0000000000000000-mapping.dmp
-
memory/3396-133-0x0000000000000000-mapping.dmp
-
memory/3800-135-0x0000000000000000-mapping.dmp
-
memory/4376-134-0x0000000000000000-mapping.dmp
-
memory/4520-136-0x0000000000000000-mapping.dmp
-
memory/4944-141-0x0000000000000000-mapping.dmp