51e18491f225eb287e44dae137f147802c95d838811bb75797537ec21bb925de

General

Target

51e18491f225eb287e44dae137f147802c95d838811bb75797537ec21bb925de.exe
Size

1.1MB
MD5

7699d7617c64ca8faf8bead25c868847
SHA1

6e56352be6db1aa83c4062547e280707bf4adb96
SHA256

51e18491f225eb287e44dae137f147802c95d838811bb75797537ec21bb925de
SHA512

b0464e03c1078d3fe1347e392e5eff7c02d5bcd9b408480cd56805b35e0884621ac5dac1fd97e83894b97dfceba6bb670a38c360372f976d308a9c67d61a2c8e
SSDEEP

24576:WRmJkcoQricOIQxiZY1iavZZD/a/i1QVdzvTZnW:zJZoQrbTFZY1iaPDzD

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

gielq.exegielq.exe

pid process

1732 gielq.exe
764 gielq.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

536 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

51e18491f225eb287e44dae137f147802c95d838811bb75797537ec21bb925de.exe

pid process

2024 51e18491f225eb287e44dae137f147802c95d838811bb75797537ec21bb925de.exe

pid	process
1732	gielq.exe
764	gielq.exe

pid	process
536	cmd.exe

pid	process
2024	51e18491f225eb287e44dae137f147802c95d838811bb75797537ec21bb925de.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

gielq.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\{DF7D23C2-8AB6-EA16-0883-88407334575E} = "C:\\Users\\Admin\\AppData\\Roaming\\Bion\\gielq.exe"	gielq.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\Currentversion\Run	gielq.exe

AutoIT Executable 4 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\Bion\gielq.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Bion\gielq.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Bion\gielq.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Bion\gielq.exe	autoit_exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

51e18491f225eb287e44dae137f147802c95d838811bb75797537ec21bb925de.exegielq.exe

description	pid	process	target process
PID 1184 set thread context of 2024	1184	51e18491f225eb287e44dae137f147802c95d838811bb75797537ec21bb925de.exe	51e18491f225eb287e44dae137f147802c95d838811bb75797537ec21bb925de.exe
PID 1732 set thread context of 764	1732	gielq.exe	gielq.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

gielq.exe

pid	process
764	gielq.exe
764	gielq.exe
764	gielq.exe
764	gielq.exe
764	gielq.exe
764	gielq.exe
764	gielq.exe
764	gielq.exe
764	gielq.exe
764	gielq.exe
764	gielq.exe
764	gielq.exe
764	gielq.exe
764	gielq.exe
764	gielq.exe
764	gielq.exe
764	gielq.exe
764	gielq.exe
764	gielq.exe
764	gielq.exe
764	gielq.exe
764	gielq.exe
764	gielq.exe
764	gielq.exe
764	gielq.exe
764	gielq.exe
764	gielq.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

51e18491f225eb287e44dae137f147802c95d838811bb75797537ec21bb925de.exe

description pid process

Token: SeSecurityPrivilege 2024 51e18491f225eb287e44dae137f147802c95d838811bb75797537ec21bb925de.exe

description	pid	process
Token: SeSecurityPrivilege	2024	51e18491f225eb287e44dae137f147802c95d838811bb75797537ec21bb925de.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

51e18491f225eb287e44dae137f147802c95d838811bb75797537ec21bb925de.exegielq.exe

pid	process
1184	51e18491f225eb287e44dae137f147802c95d838811bb75797537ec21bb925de.exe
1184	51e18491f225eb287e44dae137f147802c95d838811bb75797537ec21bb925de.exe
1184	51e18491f225eb287e44dae137f147802c95d838811bb75797537ec21bb925de.exe
1732	gielq.exe
1732	gielq.exe
1732	gielq.exe

Suspicious use of SendNotifyMessage 6 IoCs

Processes:

51e18491f225eb287e44dae137f147802c95d838811bb75797537ec21bb925de.exegielq.exe

pid	process
1184	51e18491f225eb287e44dae137f147802c95d838811bb75797537ec21bb925de.exe
1184	51e18491f225eb287e44dae137f147802c95d838811bb75797537ec21bb925de.exe
1184	51e18491f225eb287e44dae137f147802c95d838811bb75797537ec21bb925de.exe
1732	gielq.exe
1732	gielq.exe
1732	gielq.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

51e18491f225eb287e44dae137f147802c95d838811bb75797537ec21bb925de.exe51e18491f225eb287e44dae137f147802c95d838811bb75797537ec21bb925de.exegielq.exegielq.exe

description	pid	process	target process
PID 1184 wrote to memory of 2024	1184	51e18491f225eb287e44dae137f147802c95d838811bb75797537ec21bb925de.exe	51e18491f225eb287e44dae137f147802c95d838811bb75797537ec21bb925de.exe
PID 1184 wrote to memory of 2024	1184	51e18491f225eb287e44dae137f147802c95d838811bb75797537ec21bb925de.exe	51e18491f225eb287e44dae137f147802c95d838811bb75797537ec21bb925de.exe
PID 1184 wrote to memory of 2024	1184	51e18491f225eb287e44dae137f147802c95d838811bb75797537ec21bb925de.exe	51e18491f225eb287e44dae137f147802c95d838811bb75797537ec21bb925de.exe
PID 1184 wrote to memory of 2024	1184	51e18491f225eb287e44dae137f147802c95d838811bb75797537ec21bb925de.exe	51e18491f225eb287e44dae137f147802c95d838811bb75797537ec21bb925de.exe
PID 1184 wrote to memory of 2024	1184	51e18491f225eb287e44dae137f147802c95d838811bb75797537ec21bb925de.exe	51e18491f225eb287e44dae137f147802c95d838811bb75797537ec21bb925de.exe
PID 1184 wrote to memory of 2024	1184	51e18491f225eb287e44dae137f147802c95d838811bb75797537ec21bb925de.exe	51e18491f225eb287e44dae137f147802c95d838811bb75797537ec21bb925de.exe
PID 1184 wrote to memory of 2024	1184	51e18491f225eb287e44dae137f147802c95d838811bb75797537ec21bb925de.exe	51e18491f225eb287e44dae137f147802c95d838811bb75797537ec21bb925de.exe
PID 1184 wrote to memory of 2024	1184	51e18491f225eb287e44dae137f147802c95d838811bb75797537ec21bb925de.exe	51e18491f225eb287e44dae137f147802c95d838811bb75797537ec21bb925de.exe
PID 1184 wrote to memory of 2024	1184	51e18491f225eb287e44dae137f147802c95d838811bb75797537ec21bb925de.exe	51e18491f225eb287e44dae137f147802c95d838811bb75797537ec21bb925de.exe
PID 2024 wrote to memory of 1732	2024	51e18491f225eb287e44dae137f147802c95d838811bb75797537ec21bb925de.exe	gielq.exe
PID 2024 wrote to memory of 1732	2024	51e18491f225eb287e44dae137f147802c95d838811bb75797537ec21bb925de.exe	gielq.exe
PID 2024 wrote to memory of 1732	2024	51e18491f225eb287e44dae137f147802c95d838811bb75797537ec21bb925de.exe	gielq.exe
PID 2024 wrote to memory of 1732	2024	51e18491f225eb287e44dae137f147802c95d838811bb75797537ec21bb925de.exe	gielq.exe
PID 1732 wrote to memory of 764	1732	gielq.exe	gielq.exe
PID 1732 wrote to memory of 764	1732	gielq.exe	gielq.exe
PID 1732 wrote to memory of 764	1732	gielq.exe	gielq.exe
PID 1732 wrote to memory of 764	1732	gielq.exe	gielq.exe
PID 1732 wrote to memory of 764	1732	gielq.exe	gielq.exe
PID 1732 wrote to memory of 764	1732	gielq.exe	gielq.exe
PID 1732 wrote to memory of 764	1732	gielq.exe	gielq.exe
PID 1732 wrote to memory of 764	1732	gielq.exe	gielq.exe
PID 1732 wrote to memory of 764	1732	gielq.exe	gielq.exe
PID 2024 wrote to memory of 536	2024	51e18491f225eb287e44dae137f147802c95d838811bb75797537ec21bb925de.exe	cmd.exe
PID 2024 wrote to memory of 536	2024	51e18491f225eb287e44dae137f147802c95d838811bb75797537ec21bb925de.exe	cmd.exe
PID 2024 wrote to memory of 536	2024	51e18491f225eb287e44dae137f147802c95d838811bb75797537ec21bb925de.exe	cmd.exe
PID 2024 wrote to memory of 536	2024	51e18491f225eb287e44dae137f147802c95d838811bb75797537ec21bb925de.exe	cmd.exe
PID 764 wrote to memory of 1136	764	gielq.exe	taskhost.exe
PID 764 wrote to memory of 1136	764	gielq.exe	taskhost.exe
PID 764 wrote to memory of 1136	764	gielq.exe	taskhost.exe
PID 764 wrote to memory of 1136	764	gielq.exe	taskhost.exe
PID 764 wrote to memory of 1136	764	gielq.exe	taskhost.exe
PID 764 wrote to memory of 1220	764	gielq.exe	Dwm.exe
PID 764 wrote to memory of 1220	764	gielq.exe	Dwm.exe
PID 764 wrote to memory of 1220	764	gielq.exe	Dwm.exe
PID 764 wrote to memory of 1220	764	gielq.exe	Dwm.exe
PID 764 wrote to memory of 1220	764	gielq.exe	Dwm.exe
PID 764 wrote to memory of 1284	764	gielq.exe	Explorer.EXE
PID 764 wrote to memory of 1284	764	gielq.exe	Explorer.EXE
PID 764 wrote to memory of 1284	764	gielq.exe	Explorer.EXE
PID 764 wrote to memory of 1284	764	gielq.exe	Explorer.EXE
PID 764 wrote to memory of 1284	764	gielq.exe	Explorer.EXE
PID 764 wrote to memory of 536	764	gielq.exe	cmd.exe
PID 764 wrote to memory of 536	764	gielq.exe	cmd.exe
PID 764 wrote to memory of 536	764	gielq.exe	cmd.exe
PID 764 wrote to memory of 536	764	gielq.exe	cmd.exe
PID 764 wrote to memory of 536	764	gielq.exe	cmd.exe
PID 764 wrote to memory of 636	764	gielq.exe	conhost.exe
PID 764 wrote to memory of 1952	764	gielq.exe	DllHost.exe
PID 764 wrote to memory of 1952	764	gielq.exe	DllHost.exe
PID 764 wrote to memory of 1952	764	gielq.exe	DllHost.exe
PID 764 wrote to memory of 1952	764	gielq.exe	DllHost.exe
PID 764 wrote to memory of 1952	764	gielq.exe	DllHost.exe
PID 764 wrote to memory of 1016	764	gielq.exe	DllHost.exe
PID 764 wrote to memory of 1016	764	gielq.exe	DllHost.exe
PID 764 wrote to memory of 1016	764	gielq.exe	DllHost.exe
PID 764 wrote to memory of 1016	764	gielq.exe	DllHost.exe
PID 764 wrote to memory of 1016	764	gielq.exe	DllHost.exe
PID 764 wrote to memory of 1036	764	gielq.exe	DllHost.exe
PID 764 wrote to memory of 1036	764	gielq.exe	DllHost.exe
PID 764 wrote to memory of 1036	764	gielq.exe	DllHost.exe
PID 764 wrote to memory of 1036	764	gielq.exe	DllHost.exe
PID 764 wrote to memory of 1036	764	gielq.exe	DllHost.exe
PID 764 wrote to memory of 896	764	gielq.exe	DllHost.exe
PID 764 wrote to memory of 896	764	gielq.exe	DllHost.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1136

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1284

C:\Users\Admin\AppData\Local\Temp\51e18491f225eb287e44dae137f147802c95d838811bb75797537ec21bb925de.exe
"C:\Users\Admin\AppData\Local\Temp\51e18491f225eb287e44dae137f147802c95d838811bb75797537ec21bb925de.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1184

C:\Users\Admin\AppData\Local\Temp\51e18491f225eb287e44dae137f147802c95d838811bb75797537ec21bb925de.exe
"C:\Users\Admin\AppData\Local\Temp\51e18491f225eb287e44dae137f147802c95d838811bb75797537ec21bb925de.exe"
3⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024

C:\Users\Admin\AppData\Roaming\Bion\gielq.exe
"C:\Users\Admin\AppData\Roaming\Bion\gielq.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1732

C:\Users\Admin\AppData\Roaming\Bion\gielq.exe
"C:\Users\Admin\AppData\Roaming\Bion\gielq.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:764

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp00b64b1c.bat"
4⤵
- Deletes itself
PID:536

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1220

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1886205890300194998-1452431087497022087-916228969-535173316-2092389270-1703078187"
1⤵
PID:636

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1952

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1016

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1036

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:896

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1040

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp00b64b1c.bat
Filesize
307B

MD5
8d40038dfc6b17b3fdc1f4dd301a2a08

SHA1
90f1eaaa2b55eab627898637e0f48f251f99318e

SHA256
07d89334a681133bdbfb8a0c1d8affb37cb606f3d5d127bd0a8fee488f4bdd2d

SHA512
d6808b826d4d6dc4a895503d4f60c4e619df02b4c352091e27b6dec381a2c3f0a2d89e24c944ac4c899d7cdf255fce70685caddb4be225245508ffdd4a1cbde5

Download Submit
C:\Users\Admin\AppData\Roaming\Bion\gielq.exe
Filesize
1.1MB

MD5
1f7d6b5fb2dbf6e3ff2b6c75ef39699e

SHA1
4b1f528ee87ea5564832cd4cbb05348e2d578875

SHA256
9580c9ff7e4a3c555f5230047a5473f9b6dc7e2394c382a9cd1652e112dad2ff

SHA512
d3f853aefefecbc26c7fe70ca89d94a219774a646bbea84a32c2d4c04b5f0e7060c1ec987c513956ec318953bf8a48b92fe9c90b307479d8efd89c6b8f2328a0

Download Submit
C:\Users\Admin\AppData\Roaming\Bion\gielq.exe
Filesize
1.1MB

MD5
1f7d6b5fb2dbf6e3ff2b6c75ef39699e

SHA1
4b1f528ee87ea5564832cd4cbb05348e2d578875

SHA256
9580c9ff7e4a3c555f5230047a5473f9b6dc7e2394c382a9cd1652e112dad2ff

SHA512
d3f853aefefecbc26c7fe70ca89d94a219774a646bbea84a32c2d4c04b5f0e7060c1ec987c513956ec318953bf8a48b92fe9c90b307479d8efd89c6b8f2328a0

Download Submit
C:\Users\Admin\AppData\Roaming\Bion\gielq.exe
Filesize
1.1MB

MD5
1f7d6b5fb2dbf6e3ff2b6c75ef39699e

SHA1
4b1f528ee87ea5564832cd4cbb05348e2d578875

SHA256
9580c9ff7e4a3c555f5230047a5473f9b6dc7e2394c382a9cd1652e112dad2ff

SHA512
d3f853aefefecbc26c7fe70ca89d94a219774a646bbea84a32c2d4c04b5f0e7060c1ec987c513956ec318953bf8a48b92fe9c90b307479d8efd89c6b8f2328a0

Download Submit
\Users\Admin\AppData\Roaming\Bion\gielq.exe
Filesize
1.1MB

MD5
1f7d6b5fb2dbf6e3ff2b6c75ef39699e

SHA1
4b1f528ee87ea5564832cd4cbb05348e2d578875

SHA256
9580c9ff7e4a3c555f5230047a5473f9b6dc7e2394c382a9cd1652e112dad2ff

SHA512
d3f853aefefecbc26c7fe70ca89d94a219774a646bbea84a32c2d4c04b5f0e7060c1ec987c513956ec318953bf8a48b92fe9c90b307479d8efd89c6b8f2328a0

Download Submit
memory/536-105-0x00000000000F0000-0x0000000000117000-memory.dmp

Filesize
156KB

Download
memory/536-107-0x00000000000F0000-0x0000000000117000-memory.dmp

Filesize
156KB

Download
memory/536-106-0x00000000000F0000-0x0000000000117000-memory.dmp

Filesize
156KB

Download
memory/536-108-0x00000000000F0000-0x0000000000117000-memory.dmp

Filesize
156KB

Download
memory/536-83-0x0000000000000000-mapping.dmp

Download
memory/764-79-0x0000000000413048-mapping.dmp

Download
memory/764-111-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1016-120-0x0000000003A50000-0x0000000003A77000-memory.dmp

Filesize
156KB

Download
memory/1016-123-0x0000000003A50000-0x0000000003A77000-memory.dmp

Filesize
156KB

Download
memory/1016-121-0x0000000003A50000-0x0000000003A77000-memory.dmp

Filesize
156KB

Download
memory/1016-122-0x0000000003A50000-0x0000000003A77000-memory.dmp

Filesize
156KB

Download
memory/1036-126-0x0000000000220000-0x0000000000247000-memory.dmp

Filesize
156KB

Download
memory/1036-127-0x0000000000220000-0x0000000000247000-memory.dmp

Filesize
156KB

Download
memory/1036-129-0x0000000000220000-0x0000000000247000-memory.dmp

Filesize
156KB

Download
memory/1036-128-0x0000000000220000-0x0000000000247000-memory.dmp

Filesize
156KB

Download
memory/1136-87-0x0000000001C30000-0x0000000001C57000-memory.dmp

Filesize
156KB

Download
memory/1136-88-0x0000000001C30000-0x0000000001C57000-memory.dmp

Filesize
156KB

Download
memory/1136-89-0x0000000001C30000-0x0000000001C57000-memory.dmp

Filesize
156KB

Download
memory/1136-90-0x0000000001C30000-0x0000000001C57000-memory.dmp

Filesize
156KB

Download
memory/1184-54-0x0000000075A11000-0x0000000075A13000-memory.dmp

Filesize
8KB

Download
memory/1220-93-0x00000000019C0000-0x00000000019E7000-memory.dmp

Filesize
156KB

Download
memory/1220-96-0x00000000019C0000-0x00000000019E7000-memory.dmp

Filesize
156KB

Download
memory/1220-95-0x00000000019C0000-0x00000000019E7000-memory.dmp

Filesize
156KB

Download
memory/1220-94-0x00000000019C0000-0x00000000019E7000-memory.dmp

Filesize
156KB

Download
memory/1284-102-0x0000000002AB0000-0x0000000002AD7000-memory.dmp

Filesize
156KB

Download
memory/1284-101-0x0000000002AB0000-0x0000000002AD7000-memory.dmp

Filesize
156KB

Download
memory/1284-100-0x0000000002AB0000-0x0000000002AD7000-memory.dmp

Filesize
156KB

Download
memory/1284-99-0x0000000002AB0000-0x0000000002AD7000-memory.dmp

Filesize
156KB

Download
memory/1732-68-0x0000000000000000-mapping.dmp

Download
memory/1952-117-0x0000000000330000-0x0000000000357000-memory.dmp

Filesize
156KB

Download
memory/1952-114-0x0000000000330000-0x0000000000357000-memory.dmp

Filesize
156KB

Download
memory/1952-115-0x0000000000330000-0x0000000000357000-memory.dmp

Filesize
156KB

Download
memory/1952-116-0x0000000000330000-0x0000000000357000-memory.dmp

Filesize
156KB

Download
memory/2024-65-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2024-66-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2024-84-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2024-61-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2024-62-0x0000000000413048-mapping.dmp

Download
memory/2024-59-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2024-58-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2024-56-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2024-55-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads