55d815c340f400703d67a90337d27913abee6b2167cafedef7832f623830a17f

General

Target

55d815c340f400703d67a90337d27913abee6b2167cafedef7832f623830a17f.exe
Size

1.2MB
MD5

244db981bea51bcb8ed7b591de3c15af
SHA1

c57b2aed176c8bccf599fba290e43a945e46df4e
SHA256

55d815c340f400703d67a90337d27913abee6b2167cafedef7832f623830a17f
SHA512

c876674168de5a401d1423f9221705da7ccc5a342dd1a0a69fc3f9603388ed90958aff9fd29df3b6f2def4fc80ee73fc7d803a94923c1c2ab3226742e045d1a9
SSDEEP

12288:WpQzNWXXasPZqhm0AVlKeSeSofbU1RVBdw5DSd2zGBkzxrlNIQR1dVubUGKN5J93:W5asB+lKbUuaBkz7uUpnRm3UUc

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

gejzibk.exegejzibk.exe

pid process

1364 gejzibk.exe
1116 gejzibk.exe

pid	process
1364	gejzibk.exe
1116	gejzibk.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

55d815c340f400703d67a90337d27913abee6b2167cafedef7832f623830a17f.exegejzibk.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\International\Geo\Nation	55d815c340f400703d67a90337d27913abee6b2167cafedef7832f623830a17f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\International\Geo\Nation	gejzibk.exe

Loads dropped DLL 1 IoCs

Processes:

gejzibk.exe

pid process

1364 gejzibk.exe

pid	process
1364	gejzibk.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

55d815c340f400703d67a90337d27913abee6b2167cafedef7832f623830a17f.exegejzibk.exe

description	pid	process	target process
PID 2032 set thread context of 1776	2032	55d815c340f400703d67a90337d27913abee6b2167cafedef7832f623830a17f.exe	55d815c340f400703d67a90337d27913abee6b2167cafedef7832f623830a17f.exe
PID 1364 set thread context of 1116	1364	gejzibk.exe	gejzibk.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

55d815c340f400703d67a90337d27913abee6b2167cafedef7832f623830a17f.exe55d815c340f400703d67a90337d27913abee6b2167cafedef7832f623830a17f.exegejzibk.exegejzibk.exe

pid	process
2032	55d815c340f400703d67a90337d27913abee6b2167cafedef7832f623830a17f.exe
2032	55d815c340f400703d67a90337d27913abee6b2167cafedef7832f623830a17f.exe
1776	55d815c340f400703d67a90337d27913abee6b2167cafedef7832f623830a17f.exe
1364	gejzibk.exe
1364	gejzibk.exe
1116	gejzibk.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

55d815c340f400703d67a90337d27913abee6b2167cafedef7832f623830a17f.exegejzibk.exe

pid	process
2032	55d815c340f400703d67a90337d27913abee6b2167cafedef7832f623830a17f.exe
2032	55d815c340f400703d67a90337d27913abee6b2167cafedef7832f623830a17f.exe
1364	gejzibk.exe
1364	gejzibk.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

55d815c340f400703d67a90337d27913abee6b2167cafedef7832f623830a17f.exetaskeng.exegejzibk.exe

description	pid	process	target process
PID 2032 wrote to memory of 1776	2032	55d815c340f400703d67a90337d27913abee6b2167cafedef7832f623830a17f.exe	55d815c340f400703d67a90337d27913abee6b2167cafedef7832f623830a17f.exe
PID 2032 wrote to memory of 1776	2032	55d815c340f400703d67a90337d27913abee6b2167cafedef7832f623830a17f.exe	55d815c340f400703d67a90337d27913abee6b2167cafedef7832f623830a17f.exe
PID 2032 wrote to memory of 1776	2032	55d815c340f400703d67a90337d27913abee6b2167cafedef7832f623830a17f.exe	55d815c340f400703d67a90337d27913abee6b2167cafedef7832f623830a17f.exe
PID 2032 wrote to memory of 1776	2032	55d815c340f400703d67a90337d27913abee6b2167cafedef7832f623830a17f.exe	55d815c340f400703d67a90337d27913abee6b2167cafedef7832f623830a17f.exe
PID 2032 wrote to memory of 1776	2032	55d815c340f400703d67a90337d27913abee6b2167cafedef7832f623830a17f.exe	55d815c340f400703d67a90337d27913abee6b2167cafedef7832f623830a17f.exe
PID 2032 wrote to memory of 1776	2032	55d815c340f400703d67a90337d27913abee6b2167cafedef7832f623830a17f.exe	55d815c340f400703d67a90337d27913abee6b2167cafedef7832f623830a17f.exe
PID 2032 wrote to memory of 1776	2032	55d815c340f400703d67a90337d27913abee6b2167cafedef7832f623830a17f.exe	55d815c340f400703d67a90337d27913abee6b2167cafedef7832f623830a17f.exe
PID 852 wrote to memory of 1364	852	taskeng.exe	gejzibk.exe
PID 852 wrote to memory of 1364	852	taskeng.exe	gejzibk.exe
PID 852 wrote to memory of 1364	852	taskeng.exe	gejzibk.exe
PID 852 wrote to memory of 1364	852	taskeng.exe	gejzibk.exe
PID 1364 wrote to memory of 1116	1364	gejzibk.exe	gejzibk.exe
PID 1364 wrote to memory of 1116	1364	gejzibk.exe	gejzibk.exe
PID 1364 wrote to memory of 1116	1364	gejzibk.exe	gejzibk.exe
PID 1364 wrote to memory of 1116	1364	gejzibk.exe	gejzibk.exe
PID 1364 wrote to memory of 1116	1364	gejzibk.exe	gejzibk.exe
PID 1364 wrote to memory of 1116	1364	gejzibk.exe	gejzibk.exe
PID 1364 wrote to memory of 1116	1364	gejzibk.exe	gejzibk.exe

C:\Users\Admin\AppData\Local\Temp\55d815c340f400703d67a90337d27913abee6b2167cafedef7832f623830a17f.exe
"C:\Users\Admin\AppData\Local\Temp\55d815c340f400703d67a90337d27913abee6b2167cafedef7832f623830a17f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2032

C:\Users\Admin\AppData\Local\Temp\55d815c340f400703d67a90337d27913abee6b2167cafedef7832f623830a17f.exe
C:\Users\Admin\AppData\Local\Temp\55d815c340f400703d67a90337d27913abee6b2167cafedef7832f623830a17f.exe
2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
PID:1776

C:\Windows\system32\taskeng.exe
taskeng.exe {A17D5CCA-C563-442E-A9D9-35B1F4258AA7} S-1-5-21-2292972927-2705560509-2768824231-1000:GRXNNIIE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:852

C:\Users\Admin\AppData\Local\Temp\gejzibk.exe
C:\Users\Admin\AppData\Local\Temp\gejzibk.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1364

C:\Users\Admin\AppData\Local\Temp\gejzibk.exe
C:\Users\Admin\AppData\Local\Temp\gejzibk.exe
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
PID:1116

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\qrsyusl

Filesize
654B

MD5
b492d38f9d8d729ab57a5044bee4dcdc

SHA1
21fa110cf754da71091524493df00c7cc4b15a79

SHA256
2dc1512b5859cd26683af76258bf9514106ce5814756a2c6618ab1143f07a39a

SHA512
99465102d4fd754860ef3847688a4b525c00a7ede40799f9135deb6ef608b1ca9d5d9ec5c66b4461e21883e1f8c3072e8e5d131da38e4b21277955f46d96e003

Download Submit
C:\Users\Admin\AppData\Local\Temp\gejzibk.exe

Filesize
1.2MB

MD5
244db981bea51bcb8ed7b591de3c15af

SHA1
c57b2aed176c8bccf599fba290e43a945e46df4e

SHA256
55d815c340f400703d67a90337d27913abee6b2167cafedef7832f623830a17f

SHA512
c876674168de5a401d1423f9221705da7ccc5a342dd1a0a69fc3f9603388ed90958aff9fd29df3b6f2def4fc80ee73fc7d803a94923c1c2ab3226742e045d1a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\gejzibk.exe

Filesize
1.2MB

MD5
244db981bea51bcb8ed7b591de3c15af

SHA1
c57b2aed176c8bccf599fba290e43a945e46df4e

SHA256
55d815c340f400703d67a90337d27913abee6b2167cafedef7832f623830a17f

SHA512
c876674168de5a401d1423f9221705da7ccc5a342dd1a0a69fc3f9603388ed90958aff9fd29df3b6f2def4fc80ee73fc7d803a94923c1c2ab3226742e045d1a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\gejzibk.exe

Filesize
1.2MB

MD5
244db981bea51bcb8ed7b591de3c15af

SHA1
c57b2aed176c8bccf599fba290e43a945e46df4e

SHA256
55d815c340f400703d67a90337d27913abee6b2167cafedef7832f623830a17f

SHA512
c876674168de5a401d1423f9221705da7ccc5a342dd1a0a69fc3f9603388ed90958aff9fd29df3b6f2def4fc80ee73fc7d803a94923c1c2ab3226742e045d1a9

Download Submit
\Users\Admin\AppData\Local\Temp\gejzibk.exe

Filesize
1.2MB

MD5
244db981bea51bcb8ed7b591de3c15af

SHA1
c57b2aed176c8bccf599fba290e43a945e46df4e

SHA256
55d815c340f400703d67a90337d27913abee6b2167cafedef7832f623830a17f

SHA512
c876674168de5a401d1423f9221705da7ccc5a342dd1a0a69fc3f9603388ed90958aff9fd29df3b6f2def4fc80ee73fc7d803a94923c1c2ab3226742e045d1a9

Download Submit
memory/1116-80-0x0000000000880000-0x0000000000AC1000-memory.dmp

Filesize
2.3MB

Download
memory/1116-75-0x00000000004707F5-mapping.dmp

Download
memory/1364-67-0x0000000000000000-mapping.dmp

Download
memory/1776-59-0x00000000004707F5-mapping.dmp

Download
memory/1776-65-0x0000000000400000-0x00000000004A6E00-memory.dmp

Filesize
667KB

Download
memory/1776-64-0x00000000008F0000-0x0000000000B31000-memory.dmp

Filesize
2.3MB

Download
memory/1776-62-0x00000000006E0000-0x00000000008F0000-memory.dmp

Filesize
2.1MB

Download
memory/1776-58-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/1776-56-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/1776-55-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/2032-60-0x0000000000230000-0x0000000000234000-memory.dmp

Filesize
16KB

Download
memory/2032-54-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads