Analysis
-
max time kernel
151s -
max time network
43s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 23:49
Static task
static1
Behavioral task
behavioral1
Sample
f317a59ea553e2fbdeb151cf71b6baf33ab337f61abd2d14abfd06309dca1c4d.exe
Resource
win7-20220414-en
General
-
Target
f317a59ea553e2fbdeb151cf71b6baf33ab337f61abd2d14abfd06309dca1c4d.exe
-
Size
541KB
-
MD5
d4c4ba434338058c59a3086acdb2539e
-
SHA1
04eef30c111240b5bb1c035e022b60fc31000207
-
SHA256
f317a59ea553e2fbdeb151cf71b6baf33ab337f61abd2d14abfd06309dca1c4d
-
SHA512
8800cfa243aa1ec5933680189266ddad4ec6b05f9571f9b150a23ad3bc10e51852b4a0574eb8303724a5caff61aeabb73ad836a299e6b37b8613b98d6b739fa2
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
Gekon.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" Gekon.exe -
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" msdcsc.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
msdcsc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" msdcsc.exe -
Disables Task Manager via registry modification
-
Executes dropped EXE 2 IoCs
Processes:
Gekon.exemsdcsc.exepid process 2008 Gekon.exe 1136 msdcsc.exe -
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\Gekon.exe upx \Users\Admin\AppData\Roaming\Gekon.exe upx \Users\Admin\AppData\Roaming\Gekon.exe upx \Users\Admin\AppData\Roaming\Gekon.exe upx \Users\Admin\AppData\Roaming\Gekon.exe upx C:\Users\Admin\AppData\Roaming\Gekon.exe upx C:\Users\Admin\AppData\Roaming\Gekon.exe upx \Users\Admin\Documents\MSDCSC\msdcsc.exe upx C:\Users\Admin\Documents\MSDCSC\msdcsc.exe upx \Users\Admin\Documents\MSDCSC\msdcsc.exe upx C:\Users\Admin\Documents\MSDCSC\msdcsc.exe upx -
Loads dropped DLL 7 IoCs
Processes:
f317a59ea553e2fbdeb151cf71b6baf33ab337f61abd2d14abfd06309dca1c4d.exeGekon.exepid process 1296 f317a59ea553e2fbdeb151cf71b6baf33ab337f61abd2d14abfd06309dca1c4d.exe 1296 f317a59ea553e2fbdeb151cf71b6baf33ab337f61abd2d14abfd06309dca1c4d.exe 1296 f317a59ea553e2fbdeb151cf71b6baf33ab337f61abd2d14abfd06309dca1c4d.exe 1296 f317a59ea553e2fbdeb151cf71b6baf33ab337f61abd2d14abfd06309dca1c4d.exe 1296 f317a59ea553e2fbdeb151cf71b6baf33ab337f61abd2d14abfd06309dca1c4d.exe 2008 Gekon.exe 2008 Gekon.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Gekon.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" Gekon.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msdcsc.exepid process 1136 msdcsc.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
Gekon.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 2008 Gekon.exe Token: SeSecurityPrivilege 2008 Gekon.exe Token: SeTakeOwnershipPrivilege 2008 Gekon.exe Token: SeLoadDriverPrivilege 2008 Gekon.exe Token: SeSystemProfilePrivilege 2008 Gekon.exe Token: SeSystemtimePrivilege 2008 Gekon.exe Token: SeProfSingleProcessPrivilege 2008 Gekon.exe Token: SeIncBasePriorityPrivilege 2008 Gekon.exe Token: SeCreatePagefilePrivilege 2008 Gekon.exe Token: SeBackupPrivilege 2008 Gekon.exe Token: SeRestorePrivilege 2008 Gekon.exe Token: SeShutdownPrivilege 2008 Gekon.exe Token: SeDebugPrivilege 2008 Gekon.exe Token: SeSystemEnvironmentPrivilege 2008 Gekon.exe Token: SeChangeNotifyPrivilege 2008 Gekon.exe Token: SeRemoteShutdownPrivilege 2008 Gekon.exe Token: SeUndockPrivilege 2008 Gekon.exe Token: SeManageVolumePrivilege 2008 Gekon.exe Token: SeImpersonatePrivilege 2008 Gekon.exe Token: SeCreateGlobalPrivilege 2008 Gekon.exe Token: 33 2008 Gekon.exe Token: 34 2008 Gekon.exe Token: 35 2008 Gekon.exe Token: SeIncreaseQuotaPrivilege 1136 msdcsc.exe Token: SeSecurityPrivilege 1136 msdcsc.exe Token: SeTakeOwnershipPrivilege 1136 msdcsc.exe Token: SeLoadDriverPrivilege 1136 msdcsc.exe Token: SeSystemProfilePrivilege 1136 msdcsc.exe Token: SeSystemtimePrivilege 1136 msdcsc.exe Token: SeProfSingleProcessPrivilege 1136 msdcsc.exe Token: SeIncBasePriorityPrivilege 1136 msdcsc.exe Token: SeCreatePagefilePrivilege 1136 msdcsc.exe Token: SeBackupPrivilege 1136 msdcsc.exe Token: SeRestorePrivilege 1136 msdcsc.exe Token: SeShutdownPrivilege 1136 msdcsc.exe Token: SeDebugPrivilege 1136 msdcsc.exe Token: SeSystemEnvironmentPrivilege 1136 msdcsc.exe Token: SeChangeNotifyPrivilege 1136 msdcsc.exe Token: SeRemoteShutdownPrivilege 1136 msdcsc.exe Token: SeUndockPrivilege 1136 msdcsc.exe Token: SeManageVolumePrivilege 1136 msdcsc.exe Token: SeImpersonatePrivilege 1136 msdcsc.exe Token: SeCreateGlobalPrivilege 1136 msdcsc.exe Token: 33 1136 msdcsc.exe Token: 34 1136 msdcsc.exe Token: 35 1136 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 1136 msdcsc.exe -
Suspicious use of WriteProcessMemory 47 IoCs
Processes:
f317a59ea553e2fbdeb151cf71b6baf33ab337f61abd2d14abfd06309dca1c4d.exeGekon.execmd.execmd.exemsdcsc.exedescription pid process target process PID 1296 wrote to memory of 2008 1296 f317a59ea553e2fbdeb151cf71b6baf33ab337f61abd2d14abfd06309dca1c4d.exe Gekon.exe PID 1296 wrote to memory of 2008 1296 f317a59ea553e2fbdeb151cf71b6baf33ab337f61abd2d14abfd06309dca1c4d.exe Gekon.exe PID 1296 wrote to memory of 2008 1296 f317a59ea553e2fbdeb151cf71b6baf33ab337f61abd2d14abfd06309dca1c4d.exe Gekon.exe PID 1296 wrote to memory of 2008 1296 f317a59ea553e2fbdeb151cf71b6baf33ab337f61abd2d14abfd06309dca1c4d.exe Gekon.exe PID 2008 wrote to memory of 684 2008 Gekon.exe cmd.exe PID 2008 wrote to memory of 684 2008 Gekon.exe cmd.exe PID 2008 wrote to memory of 684 2008 Gekon.exe cmd.exe PID 2008 wrote to memory of 684 2008 Gekon.exe cmd.exe PID 2008 wrote to memory of 1668 2008 Gekon.exe cmd.exe PID 2008 wrote to memory of 1668 2008 Gekon.exe cmd.exe PID 2008 wrote to memory of 1668 2008 Gekon.exe cmd.exe PID 2008 wrote to memory of 1668 2008 Gekon.exe cmd.exe PID 684 wrote to memory of 1552 684 cmd.exe attrib.exe PID 684 wrote to memory of 1552 684 cmd.exe attrib.exe PID 684 wrote to memory of 1552 684 cmd.exe attrib.exe PID 684 wrote to memory of 1552 684 cmd.exe attrib.exe PID 1668 wrote to memory of 1632 1668 cmd.exe attrib.exe PID 1668 wrote to memory of 1632 1668 cmd.exe attrib.exe PID 1668 wrote to memory of 1632 1668 cmd.exe attrib.exe PID 1668 wrote to memory of 1632 1668 cmd.exe attrib.exe PID 2008 wrote to memory of 1136 2008 Gekon.exe msdcsc.exe PID 2008 wrote to memory of 1136 2008 Gekon.exe msdcsc.exe PID 2008 wrote to memory of 1136 2008 Gekon.exe msdcsc.exe PID 2008 wrote to memory of 1136 2008 Gekon.exe msdcsc.exe PID 1136 wrote to memory of 1948 1136 msdcsc.exe notepad.exe PID 1136 wrote to memory of 1948 1136 msdcsc.exe notepad.exe PID 1136 wrote to memory of 1948 1136 msdcsc.exe notepad.exe PID 1136 wrote to memory of 1948 1136 msdcsc.exe notepad.exe PID 1136 wrote to memory of 1948 1136 msdcsc.exe notepad.exe PID 1136 wrote to memory of 1948 1136 msdcsc.exe notepad.exe PID 1136 wrote to memory of 1948 1136 msdcsc.exe notepad.exe PID 1136 wrote to memory of 1948 1136 msdcsc.exe notepad.exe PID 1136 wrote to memory of 1948 1136 msdcsc.exe notepad.exe PID 1136 wrote to memory of 1948 1136 msdcsc.exe notepad.exe PID 1136 wrote to memory of 1948 1136 msdcsc.exe notepad.exe PID 1136 wrote to memory of 1948 1136 msdcsc.exe notepad.exe PID 1136 wrote to memory of 1948 1136 msdcsc.exe notepad.exe PID 1136 wrote to memory of 1948 1136 msdcsc.exe notepad.exe PID 1136 wrote to memory of 1948 1136 msdcsc.exe notepad.exe PID 1136 wrote to memory of 1948 1136 msdcsc.exe notepad.exe PID 1136 wrote to memory of 1948 1136 msdcsc.exe notepad.exe PID 1136 wrote to memory of 1948 1136 msdcsc.exe notepad.exe PID 1136 wrote to memory of 1948 1136 msdcsc.exe notepad.exe PID 1136 wrote to memory of 1948 1136 msdcsc.exe notepad.exe PID 1136 wrote to memory of 1948 1136 msdcsc.exe notepad.exe PID 1136 wrote to memory of 1948 1136 msdcsc.exe notepad.exe PID 1136 wrote to memory of 1948 1136 msdcsc.exe notepad.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" msdcsc.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 1632 attrib.exe 1552 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f317a59ea553e2fbdeb151cf71b6baf33ab337f61abd2d14abfd06309dca1c4d.exe"C:\Users\Admin\AppData\Local\Temp\f317a59ea553e2fbdeb151cf71b6baf33ab337f61abd2d14abfd06309dca1c4d.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Gekon.exe"C:\Users\Admin\AppData\Roaming\Gekon.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\Gekon.exe" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Roaming\Gekon.exe" +s +h4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Roaming" +s +h4⤵
- Views/modifies file attributes
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"3⤵
- Modifies firewall policy service
- Modifies security service
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\notepad.exenotepad4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Gekon.exeFilesize
252KB
MD5200dccea6b2e072fa47842830aaf7754
SHA1d07d57e782daf0b71e521257ef28d5ba69ebc6e2
SHA25610e3f01bedd5fbc7a01c9864085557105ee43e8f0c05c98ea06c6d1f53f5f013
SHA51287ca099a8b941063966cf13eb86a354e56f4166a080c1c0bd24b1e999db65e661c617bd666749e6c3fe198a7eb0d098f4160ce742a31cdcbbeda2341d12e52be
-
C:\Users\Admin\AppData\Roaming\Gekon.exeFilesize
252KB
MD5200dccea6b2e072fa47842830aaf7754
SHA1d07d57e782daf0b71e521257ef28d5ba69ebc6e2
SHA25610e3f01bedd5fbc7a01c9864085557105ee43e8f0c05c98ea06c6d1f53f5f013
SHA51287ca099a8b941063966cf13eb86a354e56f4166a080c1c0bd24b1e999db65e661c617bd666749e6c3fe198a7eb0d098f4160ce742a31cdcbbeda2341d12e52be
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
252KB
MD5200dccea6b2e072fa47842830aaf7754
SHA1d07d57e782daf0b71e521257ef28d5ba69ebc6e2
SHA25610e3f01bedd5fbc7a01c9864085557105ee43e8f0c05c98ea06c6d1f53f5f013
SHA51287ca099a8b941063966cf13eb86a354e56f4166a080c1c0bd24b1e999db65e661c617bd666749e6c3fe198a7eb0d098f4160ce742a31cdcbbeda2341d12e52be
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
252KB
MD5200dccea6b2e072fa47842830aaf7754
SHA1d07d57e782daf0b71e521257ef28d5ba69ebc6e2
SHA25610e3f01bedd5fbc7a01c9864085557105ee43e8f0c05c98ea06c6d1f53f5f013
SHA51287ca099a8b941063966cf13eb86a354e56f4166a080c1c0bd24b1e999db65e661c617bd666749e6c3fe198a7eb0d098f4160ce742a31cdcbbeda2341d12e52be
-
\Users\Admin\AppData\Roaming\Gekon.exeFilesize
252KB
MD5200dccea6b2e072fa47842830aaf7754
SHA1d07d57e782daf0b71e521257ef28d5ba69ebc6e2
SHA25610e3f01bedd5fbc7a01c9864085557105ee43e8f0c05c98ea06c6d1f53f5f013
SHA51287ca099a8b941063966cf13eb86a354e56f4166a080c1c0bd24b1e999db65e661c617bd666749e6c3fe198a7eb0d098f4160ce742a31cdcbbeda2341d12e52be
-
\Users\Admin\AppData\Roaming\Gekon.exeFilesize
252KB
MD5200dccea6b2e072fa47842830aaf7754
SHA1d07d57e782daf0b71e521257ef28d5ba69ebc6e2
SHA25610e3f01bedd5fbc7a01c9864085557105ee43e8f0c05c98ea06c6d1f53f5f013
SHA51287ca099a8b941063966cf13eb86a354e56f4166a080c1c0bd24b1e999db65e661c617bd666749e6c3fe198a7eb0d098f4160ce742a31cdcbbeda2341d12e52be
-
\Users\Admin\AppData\Roaming\Gekon.exeFilesize
252KB
MD5200dccea6b2e072fa47842830aaf7754
SHA1d07d57e782daf0b71e521257ef28d5ba69ebc6e2
SHA25610e3f01bedd5fbc7a01c9864085557105ee43e8f0c05c98ea06c6d1f53f5f013
SHA51287ca099a8b941063966cf13eb86a354e56f4166a080c1c0bd24b1e999db65e661c617bd666749e6c3fe198a7eb0d098f4160ce742a31cdcbbeda2341d12e52be
-
\Users\Admin\AppData\Roaming\Gekon.exeFilesize
252KB
MD5200dccea6b2e072fa47842830aaf7754
SHA1d07d57e782daf0b71e521257ef28d5ba69ebc6e2
SHA25610e3f01bedd5fbc7a01c9864085557105ee43e8f0c05c98ea06c6d1f53f5f013
SHA51287ca099a8b941063966cf13eb86a354e56f4166a080c1c0bd24b1e999db65e661c617bd666749e6c3fe198a7eb0d098f4160ce742a31cdcbbeda2341d12e52be
-
\Users\Admin\AppData\Roaming\Gekon.exeFilesize
252KB
MD5200dccea6b2e072fa47842830aaf7754
SHA1d07d57e782daf0b71e521257ef28d5ba69ebc6e2
SHA25610e3f01bedd5fbc7a01c9864085557105ee43e8f0c05c98ea06c6d1f53f5f013
SHA51287ca099a8b941063966cf13eb86a354e56f4166a080c1c0bd24b1e999db65e661c617bd666749e6c3fe198a7eb0d098f4160ce742a31cdcbbeda2341d12e52be
-
\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
252KB
MD5200dccea6b2e072fa47842830aaf7754
SHA1d07d57e782daf0b71e521257ef28d5ba69ebc6e2
SHA25610e3f01bedd5fbc7a01c9864085557105ee43e8f0c05c98ea06c6d1f53f5f013
SHA51287ca099a8b941063966cf13eb86a354e56f4166a080c1c0bd24b1e999db65e661c617bd666749e6c3fe198a7eb0d098f4160ce742a31cdcbbeda2341d12e52be
-
\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
252KB
MD5200dccea6b2e072fa47842830aaf7754
SHA1d07d57e782daf0b71e521257ef28d5ba69ebc6e2
SHA25610e3f01bedd5fbc7a01c9864085557105ee43e8f0c05c98ea06c6d1f53f5f013
SHA51287ca099a8b941063966cf13eb86a354e56f4166a080c1c0bd24b1e999db65e661c617bd666749e6c3fe198a7eb0d098f4160ce742a31cdcbbeda2341d12e52be
-
memory/684-64-0x0000000000000000-mapping.dmp
-
memory/1136-70-0x0000000000000000-mapping.dmp
-
memory/1296-54-0x0000000074F21000-0x0000000074F23000-memory.dmpFilesize
8KB
-
memory/1552-66-0x0000000000000000-mapping.dmp
-
memory/1632-67-0x0000000000000000-mapping.dmp
-
memory/1668-65-0x0000000000000000-mapping.dmp
-
memory/1948-74-0x0000000000000000-mapping.dmp
-
memory/2008-60-0x0000000000000000-mapping.dmp