1aec273004c1804ca7491860677c80fa6405ce0ec8843d1ffffbf5ff1f2f6c93

General

Target

Gemini.exe
Size

14KB
MD5

19dbec50735b5f2a72d4199c4e184960
SHA1

6fed7732f7cb6f59743795b2ab154a3676f4c822
SHA256

a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d
SHA512

aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

Gemini.exe

description ioc process

File opened for modification \??\PhysicalDrive0 Gemini.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	\??\PhysicalDrive0	Gemini.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "360190016"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3A96A1D1-DBA2-11EC-A5C5-C6DEEDF3EE1E} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000962422cf799f2f46a7e75b376cef3c3c00000000020000000000106600000001000020000000f486dcb4108bcaf29bf248951d32d361242c6fdce2e159ef1137522e57606ef6000000000e80000000020000200000006e86726961ffb89f07d76e193906bf5cd5d0f442c2f19f6f5edd347d6a661bc8900000001b8832836d70028bcaa5b63ae2cbc1211f323ade13c48aee6b2aae0822cac8190d63db612c2074585e3860f274803941c3a4fc75a3d1601802e418844adf0a8e6fb9e0f2a51f923f5c4bfb0dbb7688c3f329baebe7d29f07e7cd7302b3f1e4a465b52444b40e4a76ad5207a822a480d5f55b1df8f047390a446df15f7a4394dbf47bd91b2380c2cc2d320af636d85b9b40000000a4f43bb653ebc49be2ed4bf56ddbdfc32a4e0c3900aaa7e52b6ac78ed55b6b3326f475e6df438087995013e54746669c25314dfeb2736abb9a2f797813f9ff95	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 705cd226af6fd801	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000962422cf799f2f46a7e75b376cef3c3c0000000002000000000010660000000100002000000027d3d9bd05e0a2fcf6bd8b2df3620b49538a0fd0250113a20007e8e37435c7a4000000000e800000000200002000000013bf75b45bca16fe0e729859ddae02c86a7a286ee6b96491c979bac234452447200000005457ed175b8da3700a06150070958ed28772bab07e1c79f9107e414df6c78d11400000004b888ad91ddde98ce90326cddd8a2af5c49015286b43edf07b63aff1e2a8937db23ee42e987597aa6a55ab532bea74516b240426f7c7600ab108ce7accf55c56	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Gemini.exeGemini.exeGemini.exeGemini.exeGemini.exe

pid	process
952	Gemini.exe
1956	Gemini.exe
2000	Gemini.exe
1796	Gemini.exe
1872	Gemini.exe
952	Gemini.exe
1956	Gemini.exe
1796	Gemini.exe
2000	Gemini.exe
1872	Gemini.exe
952	Gemini.exe
1956	Gemini.exe
2000	Gemini.exe
1796	Gemini.exe
1872	Gemini.exe
952	Gemini.exe
1956	Gemini.exe
1796	Gemini.exe
2000	Gemini.exe
1872	Gemini.exe
952	Gemini.exe
1956	Gemini.exe
1796	Gemini.exe
2000	Gemini.exe
1872	Gemini.exe
952	Gemini.exe
1956	Gemini.exe
1796	Gemini.exe
2000	Gemini.exe
1872	Gemini.exe
952	Gemini.exe
1956	Gemini.exe
1796	Gemini.exe
2000	Gemini.exe
1872	Gemini.exe
952	Gemini.exe
1956	Gemini.exe
1796	Gemini.exe
2000	Gemini.exe
1872	Gemini.exe
952	Gemini.exe
1956	Gemini.exe
1796	Gemini.exe
2000	Gemini.exe
1872	Gemini.exe
952	Gemini.exe
1956	Gemini.exe
1796	Gemini.exe
2000	Gemini.exe
1872	Gemini.exe
952	Gemini.exe
1956	Gemini.exe
1796	Gemini.exe
2000	Gemini.exe
1872	Gemini.exe
952	Gemini.exe
1956	Gemini.exe
1796	Gemini.exe
2000	Gemini.exe
1872	Gemini.exe
952	Gemini.exe
1956	Gemini.exe
1796	Gemini.exe
2000	Gemini.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

AUDIODG.EXE

description	pid	process
Token: 33	1076	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1076	AUDIODG.EXE
Token: 33	1076	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1076	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1168 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1168 iexplore.exe
1168 iexplore.exe
1816 IEXPLORE.EXE
1816 IEXPLORE.EXE
1816 IEXPLORE.EXE
1816 IEXPLORE.EXE

pid	process
1168	iexplore.exe

pid	process
1168	iexplore.exe
1168	iexplore.exe
1816	IEXPLORE.EXE
1816	IEXPLORE.EXE
1816	IEXPLORE.EXE
1816	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

Gemini.exeGemini.exeiexplore.exe

description	pid	process	target process
PID 1472 wrote to memory of 952	1472	Gemini.exe	Gemini.exe
PID 1472 wrote to memory of 952	1472	Gemini.exe	Gemini.exe
PID 1472 wrote to memory of 952	1472	Gemini.exe	Gemini.exe
PID 1472 wrote to memory of 952	1472	Gemini.exe	Gemini.exe
PID 1472 wrote to memory of 1956	1472	Gemini.exe	Gemini.exe
PID 1472 wrote to memory of 1956	1472	Gemini.exe	Gemini.exe
PID 1472 wrote to memory of 1956	1472	Gemini.exe	Gemini.exe
PID 1472 wrote to memory of 1956	1472	Gemini.exe	Gemini.exe
PID 1472 wrote to memory of 1796	1472	Gemini.exe	Gemini.exe
PID 1472 wrote to memory of 1796	1472	Gemini.exe	Gemini.exe
PID 1472 wrote to memory of 1796	1472	Gemini.exe	Gemini.exe
PID 1472 wrote to memory of 1796	1472	Gemini.exe	Gemini.exe
PID 1472 wrote to memory of 2000	1472	Gemini.exe	Gemini.exe
PID 1472 wrote to memory of 2000	1472	Gemini.exe	Gemini.exe
PID 1472 wrote to memory of 2000	1472	Gemini.exe	Gemini.exe
PID 1472 wrote to memory of 2000	1472	Gemini.exe	Gemini.exe
PID 1472 wrote to memory of 1872	1472	Gemini.exe	Gemini.exe
PID 1472 wrote to memory of 1872	1472	Gemini.exe	Gemini.exe
PID 1472 wrote to memory of 1872	1472	Gemini.exe	Gemini.exe
PID 1472 wrote to memory of 1872	1472	Gemini.exe	Gemini.exe
PID 1472 wrote to memory of 1920	1472	Gemini.exe	Gemini.exe
PID 1472 wrote to memory of 1920	1472	Gemini.exe	Gemini.exe
PID 1472 wrote to memory of 1920	1472	Gemini.exe	Gemini.exe
PID 1472 wrote to memory of 1920	1472	Gemini.exe	Gemini.exe
PID 1920 wrote to memory of 936	1920	Gemini.exe	notepad.exe
PID 1920 wrote to memory of 936	1920	Gemini.exe	notepad.exe
PID 1920 wrote to memory of 936	1920	Gemini.exe	notepad.exe
PID 1920 wrote to memory of 936	1920	Gemini.exe	notepad.exe
PID 1920 wrote to memory of 1168	1920	Gemini.exe	iexplore.exe
PID 1920 wrote to memory of 1168	1920	Gemini.exe	iexplore.exe
PID 1920 wrote to memory of 1168	1920	Gemini.exe	iexplore.exe
PID 1920 wrote to memory of 1168	1920	Gemini.exe	iexplore.exe
PID 1168 wrote to memory of 1816	1168	iexplore.exe	IEXPLORE.EXE
PID 1168 wrote to memory of 1816	1168	iexplore.exe	IEXPLORE.EXE
PID 1168 wrote to memory of 1816	1168	iexplore.exe	IEXPLORE.EXE
PID 1168 wrote to memory of 1816	1168	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\Gemini.exe
"C:\Users\Admin\AppData\Local\Temp\Gemini.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1472
- C:\Users\Admin\AppData\Local\Temp\Gemini.exe
  "C:\Users\Admin\AppData\Local\Temp\Gemini.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:952
- C:\Users\Admin\AppData\Local\Temp\Gemini.exe
  "C:\Users\Admin\AppData\Local\Temp\Gemini.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1956
- C:\Users\Admin\AppData\Local\Temp\Gemini.exe
  "C:\Users\Admin\AppData\Local\Temp\Gemini.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1796
- C:\Users\Admin\AppData\Local\Temp\Gemini.exe
  "C:\Users\Admin\AppData\Local\Temp\Gemini.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2000
- C:\Users\Admin\AppData\Local\Temp\Gemini.exe
  "C:\Users\Admin\AppData\Local\Temp\Gemini.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1872
- C:\Users\Admin\AppData\Local\Temp\Gemini.exe
  "C:\Users\Admin\AppData\Local\Temp\Gemini.exe" /main
  2⤵
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of WriteProcessMemory
  PID:1920
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe" \note.txt
    3⤵
    PID:936
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://google.co.ck/search?q=how+to+download+memz
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1168
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1168 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1816

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x564
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1076

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d73070aed0767e6be5b79686f8debf90

SHA1
26dabd5d5d1c0b54abc22a1a8e8516842bae13b4

SHA256
b75ae16cbea192c4baeaaf74fc47eca66c5f04fbe757986804579eb09177d7f1

SHA512
0782caddd3f0b6092da52073091413cc408769a8696acddbb17a92485d2860da397de5c93447e2c05575aa16093fec6e4b72afb6f931c1479a813acbfd5684d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\1b4wh1e\imagestore.dat

Filesize
9KB

MD5
607b253be57976013097a6c5ef39af70

SHA1
2b53e31c04de9028febd709ea9956f8a45688268

SHA256
5efbe4dbef27ca137caf6dd4870567a8d2cd03c7985786414cbe83785711e755

SHA512
d196e3bbf155efeb7b575941958d6c6e7cc900d0f88d9d3f2dfe2487d0660c51a17ef50a838515ef9275a14d1a214255c87d91315bdefb467a7d622be34bf954

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\G3SUK1JV.txt

Filesize
595B

MD5
5ecbe4099c1bbfea42e6592fa58f82b4

SHA1
3c1d8c391635d04a2b34fd588692be23ac3ab854

SHA256
cb26691e61af278317f8bf5fb7f0bb95ed0fa0daecb7e6d159e341b4d8b436f0

SHA512
40482d5218c8637b9eb669522df05f7b1be7265c83cceead1bd3a3d8a4d97ea235dce91e1e88cd19c69ee7d464370286f7c5ed8d96ec4195fc00a86b3de09f8d

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
memory/936-67-0x0000000000000000-mapping.dmp

Download
memory/952-55-0x0000000000000000-mapping.dmp

Download
memory/1472-54-0x0000000074F21000-0x0000000074F23000-memory.dmp

Filesize
8KB

Download
memory/1796-59-0x0000000000000000-mapping.dmp

Download
memory/1872-63-0x0000000000000000-mapping.dmp

Download
memory/1920-65-0x0000000000000000-mapping.dmp

Download
memory/1956-57-0x0000000000000000-mapping.dmp

Download
memory/2000-61-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads