Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 23:49
Static task
static1
Behavioral task
behavioral1
Sample
f317a59ea553e2fbdeb151cf71b6baf33ab337f61abd2d14abfd06309dca1c4d.exe
Resource
win7-20220414-en
General
-
Target
f317a59ea553e2fbdeb151cf71b6baf33ab337f61abd2d14abfd06309dca1c4d.exe
-
Size
541KB
-
MD5
d4c4ba434338058c59a3086acdb2539e
-
SHA1
04eef30c111240b5bb1c035e022b60fc31000207
-
SHA256
f317a59ea553e2fbdeb151cf71b6baf33ab337f61abd2d14abfd06309dca1c4d
-
SHA512
8800cfa243aa1ec5933680189266ddad4ec6b05f9571f9b150a23ad3bc10e51852b4a0574eb8303724a5caff61aeabb73ad836a299e6b37b8613b98d6b739fa2
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
Gekon.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" Gekon.exe -
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" msdcsc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" msdcsc.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
msdcsc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" msdcsc.exe -
Disables Task Manager via registry modification
-
Executes dropped EXE 2 IoCs
Processes:
Gekon.exemsdcsc.exepid process 1044 Gekon.exe 1372 msdcsc.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Gekon.exe upx C:\Users\Admin\AppData\Roaming\Gekon.exe upx C:\Users\Admin\Documents\MSDCSC\msdcsc.exe upx C:\Users\Admin\Documents\MSDCSC\msdcsc.exe upx -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
f317a59ea553e2fbdeb151cf71b6baf33ab337f61abd2d14abfd06309dca1c4d.exeGekon.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation f317a59ea553e2fbdeb151cf71b6baf33ab337f61abd2d14abfd06309dca1c4d.exe Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation Gekon.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Gekon.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" Gekon.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
Gekon.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Gekon.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msdcsc.exepid process 1372 msdcsc.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
Gekon.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 1044 Gekon.exe Token: SeSecurityPrivilege 1044 Gekon.exe Token: SeTakeOwnershipPrivilege 1044 Gekon.exe Token: SeLoadDriverPrivilege 1044 Gekon.exe Token: SeSystemProfilePrivilege 1044 Gekon.exe Token: SeSystemtimePrivilege 1044 Gekon.exe Token: SeProfSingleProcessPrivilege 1044 Gekon.exe Token: SeIncBasePriorityPrivilege 1044 Gekon.exe Token: SeCreatePagefilePrivilege 1044 Gekon.exe Token: SeBackupPrivilege 1044 Gekon.exe Token: SeRestorePrivilege 1044 Gekon.exe Token: SeShutdownPrivilege 1044 Gekon.exe Token: SeDebugPrivilege 1044 Gekon.exe Token: SeSystemEnvironmentPrivilege 1044 Gekon.exe Token: SeChangeNotifyPrivilege 1044 Gekon.exe Token: SeRemoteShutdownPrivilege 1044 Gekon.exe Token: SeUndockPrivilege 1044 Gekon.exe Token: SeManageVolumePrivilege 1044 Gekon.exe Token: SeImpersonatePrivilege 1044 Gekon.exe Token: SeCreateGlobalPrivilege 1044 Gekon.exe Token: 33 1044 Gekon.exe Token: 34 1044 Gekon.exe Token: 35 1044 Gekon.exe Token: 36 1044 Gekon.exe Token: SeIncreaseQuotaPrivilege 1372 msdcsc.exe Token: SeSecurityPrivilege 1372 msdcsc.exe Token: SeTakeOwnershipPrivilege 1372 msdcsc.exe Token: SeLoadDriverPrivilege 1372 msdcsc.exe Token: SeSystemProfilePrivilege 1372 msdcsc.exe Token: SeSystemtimePrivilege 1372 msdcsc.exe Token: SeProfSingleProcessPrivilege 1372 msdcsc.exe Token: SeIncBasePriorityPrivilege 1372 msdcsc.exe Token: SeCreatePagefilePrivilege 1372 msdcsc.exe Token: SeBackupPrivilege 1372 msdcsc.exe Token: SeRestorePrivilege 1372 msdcsc.exe Token: SeShutdownPrivilege 1372 msdcsc.exe Token: SeDebugPrivilege 1372 msdcsc.exe Token: SeSystemEnvironmentPrivilege 1372 msdcsc.exe Token: SeChangeNotifyPrivilege 1372 msdcsc.exe Token: SeRemoteShutdownPrivilege 1372 msdcsc.exe Token: SeUndockPrivilege 1372 msdcsc.exe Token: SeManageVolumePrivilege 1372 msdcsc.exe Token: SeImpersonatePrivilege 1372 msdcsc.exe Token: SeCreateGlobalPrivilege 1372 msdcsc.exe Token: 33 1372 msdcsc.exe Token: 34 1372 msdcsc.exe Token: 35 1372 msdcsc.exe Token: 36 1372 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 1372 msdcsc.exe -
Suspicious use of WriteProcessMemory 40 IoCs
Processes:
f317a59ea553e2fbdeb151cf71b6baf33ab337f61abd2d14abfd06309dca1c4d.exeGekon.execmd.execmd.exemsdcsc.exedescription pid process target process PID 3568 wrote to memory of 1044 3568 f317a59ea553e2fbdeb151cf71b6baf33ab337f61abd2d14abfd06309dca1c4d.exe Gekon.exe PID 3568 wrote to memory of 1044 3568 f317a59ea553e2fbdeb151cf71b6baf33ab337f61abd2d14abfd06309dca1c4d.exe Gekon.exe PID 3568 wrote to memory of 1044 3568 f317a59ea553e2fbdeb151cf71b6baf33ab337f61abd2d14abfd06309dca1c4d.exe Gekon.exe PID 1044 wrote to memory of 4064 1044 Gekon.exe cmd.exe PID 1044 wrote to memory of 4064 1044 Gekon.exe cmd.exe PID 1044 wrote to memory of 4064 1044 Gekon.exe cmd.exe PID 1044 wrote to memory of 3068 1044 Gekon.exe cmd.exe PID 1044 wrote to memory of 3068 1044 Gekon.exe cmd.exe PID 1044 wrote to memory of 3068 1044 Gekon.exe cmd.exe PID 4064 wrote to memory of 1900 4064 cmd.exe attrib.exe PID 4064 wrote to memory of 1900 4064 cmd.exe attrib.exe PID 4064 wrote to memory of 1900 4064 cmd.exe attrib.exe PID 3068 wrote to memory of 1544 3068 cmd.exe attrib.exe PID 3068 wrote to memory of 1544 3068 cmd.exe attrib.exe PID 3068 wrote to memory of 1544 3068 cmd.exe attrib.exe PID 1044 wrote to memory of 1372 1044 Gekon.exe msdcsc.exe PID 1044 wrote to memory of 1372 1044 Gekon.exe msdcsc.exe PID 1044 wrote to memory of 1372 1044 Gekon.exe msdcsc.exe PID 1372 wrote to memory of 1908 1372 msdcsc.exe notepad.exe PID 1372 wrote to memory of 1908 1372 msdcsc.exe notepad.exe PID 1372 wrote to memory of 1908 1372 msdcsc.exe notepad.exe PID 1372 wrote to memory of 1908 1372 msdcsc.exe notepad.exe PID 1372 wrote to memory of 1908 1372 msdcsc.exe notepad.exe PID 1372 wrote to memory of 1908 1372 msdcsc.exe notepad.exe PID 1372 wrote to memory of 1908 1372 msdcsc.exe notepad.exe PID 1372 wrote to memory of 1908 1372 msdcsc.exe notepad.exe PID 1372 wrote to memory of 1908 1372 msdcsc.exe notepad.exe PID 1372 wrote to memory of 1908 1372 msdcsc.exe notepad.exe PID 1372 wrote to memory of 1908 1372 msdcsc.exe notepad.exe PID 1372 wrote to memory of 1908 1372 msdcsc.exe notepad.exe PID 1372 wrote to memory of 1908 1372 msdcsc.exe notepad.exe PID 1372 wrote to memory of 1908 1372 msdcsc.exe notepad.exe PID 1372 wrote to memory of 1908 1372 msdcsc.exe notepad.exe PID 1372 wrote to memory of 1908 1372 msdcsc.exe notepad.exe PID 1372 wrote to memory of 1908 1372 msdcsc.exe notepad.exe PID 1372 wrote to memory of 1908 1372 msdcsc.exe notepad.exe PID 1372 wrote to memory of 1908 1372 msdcsc.exe notepad.exe PID 1372 wrote to memory of 1908 1372 msdcsc.exe notepad.exe PID 1372 wrote to memory of 1908 1372 msdcsc.exe notepad.exe PID 1372 wrote to memory of 1908 1372 msdcsc.exe notepad.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" msdcsc.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 1544 attrib.exe 1900 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f317a59ea553e2fbdeb151cf71b6baf33ab337f61abd2d14abfd06309dca1c4d.exe"C:\Users\Admin\AppData\Local\Temp\f317a59ea553e2fbdeb151cf71b6baf33ab337f61abd2d14abfd06309dca1c4d.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3568 -
C:\Users\Admin\AppData\Roaming\Gekon.exe"C:\Users\Admin\AppData\Roaming\Gekon.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\Gekon.exe" +s +h3⤵
- Suspicious use of WriteProcessMemory
PID:4064 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Roaming\Gekon.exe" +s +h4⤵
- Views/modifies file attributes
PID:1900 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming" +s +h3⤵
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Roaming" +s +h4⤵
- Views/modifies file attributes
PID:1544 -
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"3⤵
- Modifies firewall policy service
- Modifies security service
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1372 -
C:\Windows\SysWOW64\notepad.exenotepad4⤵PID:1908
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Gekon.exeFilesize
252KB
MD5200dccea6b2e072fa47842830aaf7754
SHA1d07d57e782daf0b71e521257ef28d5ba69ebc6e2
SHA25610e3f01bedd5fbc7a01c9864085557105ee43e8f0c05c98ea06c6d1f53f5f013
SHA51287ca099a8b941063966cf13eb86a354e56f4166a080c1c0bd24b1e999db65e661c617bd666749e6c3fe198a7eb0d098f4160ce742a31cdcbbeda2341d12e52be
-
C:\Users\Admin\AppData\Roaming\Gekon.exeFilesize
252KB
MD5200dccea6b2e072fa47842830aaf7754
SHA1d07d57e782daf0b71e521257ef28d5ba69ebc6e2
SHA25610e3f01bedd5fbc7a01c9864085557105ee43e8f0c05c98ea06c6d1f53f5f013
SHA51287ca099a8b941063966cf13eb86a354e56f4166a080c1c0bd24b1e999db65e661c617bd666749e6c3fe198a7eb0d098f4160ce742a31cdcbbeda2341d12e52be
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
252KB
MD5200dccea6b2e072fa47842830aaf7754
SHA1d07d57e782daf0b71e521257ef28d5ba69ebc6e2
SHA25610e3f01bedd5fbc7a01c9864085557105ee43e8f0c05c98ea06c6d1f53f5f013
SHA51287ca099a8b941063966cf13eb86a354e56f4166a080c1c0bd24b1e999db65e661c617bd666749e6c3fe198a7eb0d098f4160ce742a31cdcbbeda2341d12e52be
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
252KB
MD5200dccea6b2e072fa47842830aaf7754
SHA1d07d57e782daf0b71e521257ef28d5ba69ebc6e2
SHA25610e3f01bedd5fbc7a01c9864085557105ee43e8f0c05c98ea06c6d1f53f5f013
SHA51287ca099a8b941063966cf13eb86a354e56f4166a080c1c0bd24b1e999db65e661c617bd666749e6c3fe198a7eb0d098f4160ce742a31cdcbbeda2341d12e52be
-
memory/1044-130-0x0000000000000000-mapping.dmp
-
memory/1372-137-0x0000000000000000-mapping.dmp
-
memory/1544-136-0x0000000000000000-mapping.dmp
-
memory/1900-135-0x0000000000000000-mapping.dmp
-
memory/1908-140-0x0000000000000000-mapping.dmp
-
memory/3068-134-0x0000000000000000-mapping.dmp
-
memory/4064-133-0x0000000000000000-mapping.dmp