Analysis
-
max time kernel
151s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
19/09/2022, 16:03
Static task
static1
Behavioral task
behavioral1
Sample
9d79cf4ece8255c0eee7fdf82838bfe124db5c7568875a65ae1e00c8210c401d.exe
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral2
Sample
9d79cf4ece8255c0eee7fdf82838bfe124db5c7568875a65ae1e00c8210c401d.exe
Resource
win10v2004-20220901-en
windows10-2004-x64
General
-
Target
9d79cf4ece8255c0eee7fdf82838bfe124db5c7568875a65ae1e00c8210c401d.exe
-
Size
156KB
-
MD5
5c8fcc6e788812f08afccc5dd83d5d7e
-
SHA1
d479b0e8b57916b12776771d59fe49e25f3249f0
-
SHA256
9d79cf4ece8255c0eee7fdf82838bfe124db5c7568875a65ae1e00c8210c401d
-
SHA512
28e5412cc793b328f78b4ae40751f59bfcf8eae00463ca1f32a5a471b711d302644eb39d0296825794fbc4848be1fc4f77cca9af211fdb41ea675871d32b8a98
-
SSDEEP
3072:lfpKozn0UIhCjG8G3GbGVGBGfGuGxGWYcrf6KadU:lfooz0NAYcD6Kad
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" geabim.exe -
Executes dropped EXE 1 IoCs
pid Process 1628 geabim.exe -
Loads dropped DLL 2 IoCs
pid Process 2000 9d79cf4ece8255c0eee7fdf82838bfe124db5c7568875a65ae1e00c8210c401d.exe 2000 9d79cf4ece8255c0eee7fdf82838bfe124db5c7568875a65ae1e00c8210c401d.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\ geabim.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\geabim = "C:\\Users\\Admin\\geabim.exe" geabim.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1628 geabim.exe 1628 geabim.exe 1628 geabim.exe 1628 geabim.exe 1628 geabim.exe 1628 geabim.exe 1628 geabim.exe 1628 geabim.exe 1628 geabim.exe 1628 geabim.exe 1628 geabim.exe 1628 geabim.exe 1628 geabim.exe 1628 geabim.exe 1628 geabim.exe 1628 geabim.exe 1628 geabim.exe 1628 geabim.exe 1628 geabim.exe 1628 geabim.exe 1628 geabim.exe 1628 geabim.exe 1628 geabim.exe 1628 geabim.exe 1628 geabim.exe 1628 geabim.exe 1628 geabim.exe 1628 geabim.exe 1628 geabim.exe 1628 geabim.exe 1628 geabim.exe 1628 geabim.exe 1628 geabim.exe 1628 geabim.exe 1628 geabim.exe 1628 geabim.exe 1628 geabim.exe 1628 geabim.exe 1628 geabim.exe 1628 geabim.exe 1628 geabim.exe 1628 geabim.exe 1628 geabim.exe 1628 geabim.exe 1628 geabim.exe 1628 geabim.exe 1628 geabim.exe 1628 geabim.exe 1628 geabim.exe 1628 geabim.exe 1628 geabim.exe 1628 geabim.exe 1628 geabim.exe 1628 geabim.exe 1628 geabim.exe 1628 geabim.exe 1628 geabim.exe 1628 geabim.exe 1628 geabim.exe 1628 geabim.exe 1628 geabim.exe 1628 geabim.exe 1628 geabim.exe 1628 geabim.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2000 9d79cf4ece8255c0eee7fdf82838bfe124db5c7568875a65ae1e00c8210c401d.exe 1628 geabim.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2000 wrote to memory of 1628 2000 9d79cf4ece8255c0eee7fdf82838bfe124db5c7568875a65ae1e00c8210c401d.exe 28 PID 2000 wrote to memory of 1628 2000 9d79cf4ece8255c0eee7fdf82838bfe124db5c7568875a65ae1e00c8210c401d.exe 28 PID 2000 wrote to memory of 1628 2000 9d79cf4ece8255c0eee7fdf82838bfe124db5c7568875a65ae1e00c8210c401d.exe 28 PID 2000 wrote to memory of 1628 2000 9d79cf4ece8255c0eee7fdf82838bfe124db5c7568875a65ae1e00c8210c401d.exe 28 PID 1628 wrote to memory of 2000 1628 geabim.exe 27 PID 1628 wrote to memory of 2000 1628 geabim.exe 27 PID 1628 wrote to memory of 2000 1628 geabim.exe 27 PID 1628 wrote to memory of 2000 1628 geabim.exe 27 PID 1628 wrote to memory of 2000 1628 geabim.exe 27 PID 1628 wrote to memory of 2000 1628 geabim.exe 27 PID 1628 wrote to memory of 2000 1628 geabim.exe 27 PID 1628 wrote to memory of 2000 1628 geabim.exe 27 PID 1628 wrote to memory of 2000 1628 geabim.exe 27 PID 1628 wrote to memory of 2000 1628 geabim.exe 27 PID 1628 wrote to memory of 2000 1628 geabim.exe 27 PID 1628 wrote to memory of 2000 1628 geabim.exe 27 PID 1628 wrote to memory of 2000 1628 geabim.exe 27 PID 1628 wrote to memory of 2000 1628 geabim.exe 27 PID 1628 wrote to memory of 2000 1628 geabim.exe 27 PID 1628 wrote to memory of 2000 1628 geabim.exe 27 PID 1628 wrote to memory of 2000 1628 geabim.exe 27 PID 1628 wrote to memory of 2000 1628 geabim.exe 27 PID 1628 wrote to memory of 2000 1628 geabim.exe 27 PID 1628 wrote to memory of 2000 1628 geabim.exe 27 PID 1628 wrote to memory of 2000 1628 geabim.exe 27 PID 1628 wrote to memory of 2000 1628 geabim.exe 27 PID 1628 wrote to memory of 2000 1628 geabim.exe 27 PID 1628 wrote to memory of 2000 1628 geabim.exe 27 PID 1628 wrote to memory of 2000 1628 geabim.exe 27 PID 1628 wrote to memory of 2000 1628 geabim.exe 27 PID 1628 wrote to memory of 2000 1628 geabim.exe 27 PID 1628 wrote to memory of 2000 1628 geabim.exe 27 PID 1628 wrote to memory of 2000 1628 geabim.exe 27 PID 1628 wrote to memory of 2000 1628 geabim.exe 27 PID 1628 wrote to memory of 2000 1628 geabim.exe 27 PID 1628 wrote to memory of 2000 1628 geabim.exe 27 PID 1628 wrote to memory of 2000 1628 geabim.exe 27 PID 1628 wrote to memory of 2000 1628 geabim.exe 27 PID 1628 wrote to memory of 2000 1628 geabim.exe 27 PID 1628 wrote to memory of 2000 1628 geabim.exe 27 PID 1628 wrote to memory of 2000 1628 geabim.exe 27 PID 1628 wrote to memory of 2000 1628 geabim.exe 27 PID 1628 wrote to memory of 2000 1628 geabim.exe 27 PID 1628 wrote to memory of 2000 1628 geabim.exe 27 PID 1628 wrote to memory of 2000 1628 geabim.exe 27 PID 1628 wrote to memory of 2000 1628 geabim.exe 27 PID 1628 wrote to memory of 2000 1628 geabim.exe 27 PID 1628 wrote to memory of 2000 1628 geabim.exe 27 PID 1628 wrote to memory of 2000 1628 geabim.exe 27 PID 1628 wrote to memory of 2000 1628 geabim.exe 27 PID 1628 wrote to memory of 2000 1628 geabim.exe 27 PID 1628 wrote to memory of 2000 1628 geabim.exe 27 PID 1628 wrote to memory of 2000 1628 geabim.exe 27 PID 1628 wrote to memory of 2000 1628 geabim.exe 27 PID 1628 wrote to memory of 2000 1628 geabim.exe 27 PID 1628 wrote to memory of 2000 1628 geabim.exe 27 PID 1628 wrote to memory of 2000 1628 geabim.exe 27 PID 1628 wrote to memory of 2000 1628 geabim.exe 27 PID 1628 wrote to memory of 2000 1628 geabim.exe 27 PID 1628 wrote to memory of 2000 1628 geabim.exe 27 PID 1628 wrote to memory of 2000 1628 geabim.exe 27 PID 1628 wrote to memory of 2000 1628 geabim.exe 27 PID 1628 wrote to memory of 2000 1628 geabim.exe 27 PID 1628 wrote to memory of 2000 1628 geabim.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\9d79cf4ece8255c0eee7fdf82838bfe124db5c7568875a65ae1e00c8210c401d.exe"C:\Users\Admin\AppData\Local\Temp\9d79cf4ece8255c0eee7fdf82838bfe124db5c7568875a65ae1e00c8210c401d.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Users\Admin\geabim.exe"C:\Users\Admin\geabim.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1628
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
156KB
MD5d393ec90f1a6c659ca84d9386eb7c9ae
SHA1d9e3a85578c67b009220300a3016e2c66dffde7c
SHA256dacd30c9648d4394b74e40a1c9722b17eaf26daacb136232db05c1d7c4080097
SHA51216eaef3c0ccd6de92c033cd2d189040f73de40dbe98cdf56a97d4963a5bb7aac7b8ce3d27d1b15ac0159aee9e0d0479dedddd997a3bf8918f0505cdcf26dc917
-
Filesize
156KB
MD5d393ec90f1a6c659ca84d9386eb7c9ae
SHA1d9e3a85578c67b009220300a3016e2c66dffde7c
SHA256dacd30c9648d4394b74e40a1c9722b17eaf26daacb136232db05c1d7c4080097
SHA51216eaef3c0ccd6de92c033cd2d189040f73de40dbe98cdf56a97d4963a5bb7aac7b8ce3d27d1b15ac0159aee9e0d0479dedddd997a3bf8918f0505cdcf26dc917
-
Filesize
156KB
MD5d393ec90f1a6c659ca84d9386eb7c9ae
SHA1d9e3a85578c67b009220300a3016e2c66dffde7c
SHA256dacd30c9648d4394b74e40a1c9722b17eaf26daacb136232db05c1d7c4080097
SHA51216eaef3c0ccd6de92c033cd2d189040f73de40dbe98cdf56a97d4963a5bb7aac7b8ce3d27d1b15ac0159aee9e0d0479dedddd997a3bf8918f0505cdcf26dc917
-
Filesize
156KB
MD5d393ec90f1a6c659ca84d9386eb7c9ae
SHA1d9e3a85578c67b009220300a3016e2c66dffde7c
SHA256dacd30c9648d4394b74e40a1c9722b17eaf26daacb136232db05c1d7c4080097
SHA51216eaef3c0ccd6de92c033cd2d189040f73de40dbe98cdf56a97d4963a5bb7aac7b8ce3d27d1b15ac0159aee9e0d0479dedddd997a3bf8918f0505cdcf26dc917