3999b02a5ea3296196d635345d1641e8e5b294de86df15b4c7877442fe2ec840

General

Target

3999b02a5ea3296196d635345d1641e8e5b294de86df15b4c7877442fe2ec840.exe
Size

244KB
MD5

353631c7e3686b6aba08dcab28849013
SHA1

0e0054e1175f1119e44aa71f94ad9b059c207338
SHA256

3999b02a5ea3296196d635345d1641e8e5b294de86df15b4c7877442fe2ec840
SHA512

48f3577e731cf6b984b8602241eba4855a7dd2846a76e527d347a5c55ea49b3927d8ae0eff285b93c1b586696db5a6a9dde0b44652800d7b9f8386af94e1d469
SSDEEP

6144:oHAn9UvAqXDdJZRx8zm/4Q7OkkXJLbg4xK4laa:Pn9UvxXDdJZRx8zm/4Q7OksJLbg4x

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

geoayaq.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	geoayaq.exe

Executes dropped EXE 1 IoCs

Processes:

geoayaq.exe

pid process

4180 geoayaq.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3999b02a5ea3296196d635345d1641e8e5b294de86df15b4c7877442fe2ec840.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	3999b02a5ea3296196d635345d1641e8e5b294de86df15b4c7877442fe2ec840.exe

Adds Run key to start application 2 TTPs 49 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

geoayaq.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run\	geoayaq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geoayaq = "C:\\Users\\Admin\\geoayaq.exe /l"	geoayaq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geoayaq = "C:\\Users\\Admin\\geoayaq.exe /u"	geoayaq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geoayaq = "C:\\Users\\Admin\\geoayaq.exe /k"	geoayaq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geoayaq = "C:\\Users\\Admin\\geoayaq.exe /R"	geoayaq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geoayaq = "C:\\Users\\Admin\\geoayaq.exe /G"	geoayaq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geoayaq = "C:\\Users\\Admin\\geoayaq.exe /v"	geoayaq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geoayaq = "C:\\Users\\Admin\\geoayaq.exe /Y"	geoayaq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geoayaq = "C:\\Users\\Admin\\geoayaq.exe /J"	geoayaq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geoayaq = "C:\\Users\\Admin\\geoayaq.exe /j"	geoayaq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geoayaq = "C:\\Users\\Admin\\geoayaq.exe /B"	geoayaq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geoayaq = "C:\\Users\\Admin\\geoayaq.exe /N"	geoayaq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geoayaq = "C:\\Users\\Admin\\geoayaq.exe /a"	geoayaq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geoayaq = "C:\\Users\\Admin\\geoayaq.exe /W"	geoayaq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geoayaq = "C:\\Users\\Admin\\geoayaq.exe /n"	geoayaq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geoayaq = "C:\\Users\\Admin\\geoayaq.exe /M"	geoayaq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geoayaq = "C:\\Users\\Admin\\geoayaq.exe /c"	geoayaq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geoayaq = "C:\\Users\\Admin\\geoayaq.exe /o"	geoayaq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geoayaq = "C:\\Users\\Admin\\geoayaq.exe /s"	geoayaq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geoayaq = "C:\\Users\\Admin\\geoayaq.exe /z"	geoayaq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geoayaq = "C:\\Users\\Admin\\geoayaq.exe /V"	geoayaq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geoayaq = "C:\\Users\\Admin\\geoayaq.exe /C"	geoayaq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geoayaq = "C:\\Users\\Admin\\geoayaq.exe /F"	geoayaq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geoayaq = "C:\\Users\\Admin\\geoayaq.exe /h"	geoayaq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geoayaq = "C:\\Users\\Admin\\geoayaq.exe /b"	geoayaq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geoayaq = "C:\\Users\\Admin\\geoayaq.exe /I"	geoayaq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geoayaq = "C:\\Users\\Admin\\geoayaq.exe /T"	geoayaq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geoayaq = "C:\\Users\\Admin\\geoayaq.exe /x"	geoayaq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geoayaq = "C:\\Users\\Admin\\geoayaq.exe /f"	geoayaq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geoayaq = "C:\\Users\\Admin\\geoayaq.exe /i"	geoayaq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geoayaq = "C:\\Users\\Admin\\geoayaq.exe /L"	geoayaq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geoayaq = "C:\\Users\\Admin\\geoayaq.exe /O"	geoayaq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geoayaq = "C:\\Users\\Admin\\geoayaq.exe /Q"	geoayaq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geoayaq = "C:\\Users\\Admin\\geoayaq.exe /t"	geoayaq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geoayaq = "C:\\Users\\Admin\\geoayaq.exe /d"	geoayaq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geoayaq = "C:\\Users\\Admin\\geoayaq.exe /q"	geoayaq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geoayaq = "C:\\Users\\Admin\\geoayaq.exe /P"	geoayaq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geoayaq = "C:\\Users\\Admin\\geoayaq.exe /Z"	geoayaq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geoayaq = "C:\\Users\\Admin\\geoayaq.exe /E"	geoayaq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geoayaq = "C:\\Users\\Admin\\geoayaq.exe /K"	geoayaq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geoayaq = "C:\\Users\\Admin\\geoayaq.exe /r"	geoayaq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geoayaq = "C:\\Users\\Admin\\geoayaq.exe /w"	geoayaq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geoayaq = "C:\\Users\\Admin\\geoayaq.exe /H"	geoayaq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geoayaq = "C:\\Users\\Admin\\geoayaq.exe /e"	geoayaq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geoayaq = "C:\\Users\\Admin\\geoayaq.exe /m"	geoayaq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geoayaq = "C:\\Users\\Admin\\geoayaq.exe /D"	geoayaq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geoayaq = "C:\\Users\\Admin\\geoayaq.exe /g"	geoayaq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geoayaq = "C:\\Users\\Admin\\geoayaq.exe /X"	geoayaq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geoayaq = "C:\\Users\\Admin\\geoayaq.exe /p"	geoayaq.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

geoayaq.exe

pid	process
4180	geoayaq.exe
4180	geoayaq.exe
4180	geoayaq.exe
4180	geoayaq.exe
4180	geoayaq.exe
4180	geoayaq.exe
4180	geoayaq.exe
4180	geoayaq.exe
4180	geoayaq.exe
4180	geoayaq.exe
4180	geoayaq.exe
4180	geoayaq.exe
4180	geoayaq.exe
4180	geoayaq.exe
4180	geoayaq.exe
4180	geoayaq.exe
4180	geoayaq.exe
4180	geoayaq.exe
4180	geoayaq.exe
4180	geoayaq.exe
4180	geoayaq.exe
4180	geoayaq.exe
4180	geoayaq.exe
4180	geoayaq.exe
4180	geoayaq.exe
4180	geoayaq.exe
4180	geoayaq.exe
4180	geoayaq.exe
4180	geoayaq.exe
4180	geoayaq.exe
4180	geoayaq.exe
4180	geoayaq.exe
4180	geoayaq.exe
4180	geoayaq.exe
4180	geoayaq.exe
4180	geoayaq.exe
4180	geoayaq.exe
4180	geoayaq.exe
4180	geoayaq.exe
4180	geoayaq.exe
4180	geoayaq.exe
4180	geoayaq.exe
4180	geoayaq.exe
4180	geoayaq.exe
4180	geoayaq.exe
4180	geoayaq.exe
4180	geoayaq.exe
4180	geoayaq.exe
4180	geoayaq.exe
4180	geoayaq.exe
4180	geoayaq.exe
4180	geoayaq.exe
4180	geoayaq.exe
4180	geoayaq.exe
4180	geoayaq.exe
4180	geoayaq.exe
4180	geoayaq.exe
4180	geoayaq.exe
4180	geoayaq.exe
4180	geoayaq.exe
4180	geoayaq.exe
4180	geoayaq.exe
4180	geoayaq.exe
4180	geoayaq.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

3999b02a5ea3296196d635345d1641e8e5b294de86df15b4c7877442fe2ec840.exegeoayaq.exe

pid process

4636 3999b02a5ea3296196d635345d1641e8e5b294de86df15b4c7877442fe2ec840.exe
4180 geoayaq.exe

pid	process
4636	3999b02a5ea3296196d635345d1641e8e5b294de86df15b4c7877442fe2ec840.exe
4180	geoayaq.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3999b02a5ea3296196d635345d1641e8e5b294de86df15b4c7877442fe2ec840.exegeoayaq.exe

description	pid	process	target process
PID 4636 wrote to memory of 4180	4636	3999b02a5ea3296196d635345d1641e8e5b294de86df15b4c7877442fe2ec840.exe	geoayaq.exe
PID 4636 wrote to memory of 4180	4636	3999b02a5ea3296196d635345d1641e8e5b294de86df15b4c7877442fe2ec840.exe	geoayaq.exe
PID 4636 wrote to memory of 4180	4636	3999b02a5ea3296196d635345d1641e8e5b294de86df15b4c7877442fe2ec840.exe	geoayaq.exe
PID 4180 wrote to memory of 4636	4180	geoayaq.exe	3999b02a5ea3296196d635345d1641e8e5b294de86df15b4c7877442fe2ec840.exe
PID 4180 wrote to memory of 4636	4180	geoayaq.exe	3999b02a5ea3296196d635345d1641e8e5b294de86df15b4c7877442fe2ec840.exe
PID 4180 wrote to memory of 4636	4180	geoayaq.exe	3999b02a5ea3296196d635345d1641e8e5b294de86df15b4c7877442fe2ec840.exe
PID 4180 wrote to memory of 4636	4180	geoayaq.exe	3999b02a5ea3296196d635345d1641e8e5b294de86df15b4c7877442fe2ec840.exe
PID 4180 wrote to memory of 4636	4180	geoayaq.exe	3999b02a5ea3296196d635345d1641e8e5b294de86df15b4c7877442fe2ec840.exe
PID 4180 wrote to memory of 4636	4180	geoayaq.exe	3999b02a5ea3296196d635345d1641e8e5b294de86df15b4c7877442fe2ec840.exe
PID 4180 wrote to memory of 4636	4180	geoayaq.exe	3999b02a5ea3296196d635345d1641e8e5b294de86df15b4c7877442fe2ec840.exe
PID 4180 wrote to memory of 4636	4180	geoayaq.exe	3999b02a5ea3296196d635345d1641e8e5b294de86df15b4c7877442fe2ec840.exe
PID 4180 wrote to memory of 4636	4180	geoayaq.exe	3999b02a5ea3296196d635345d1641e8e5b294de86df15b4c7877442fe2ec840.exe
PID 4180 wrote to memory of 4636	4180	geoayaq.exe	3999b02a5ea3296196d635345d1641e8e5b294de86df15b4c7877442fe2ec840.exe
PID 4180 wrote to memory of 4636	4180	geoayaq.exe	3999b02a5ea3296196d635345d1641e8e5b294de86df15b4c7877442fe2ec840.exe
PID 4180 wrote to memory of 4636	4180	geoayaq.exe	3999b02a5ea3296196d635345d1641e8e5b294de86df15b4c7877442fe2ec840.exe
PID 4180 wrote to memory of 4636	4180	geoayaq.exe	3999b02a5ea3296196d635345d1641e8e5b294de86df15b4c7877442fe2ec840.exe
PID 4180 wrote to memory of 4636	4180	geoayaq.exe	3999b02a5ea3296196d635345d1641e8e5b294de86df15b4c7877442fe2ec840.exe
PID 4180 wrote to memory of 4636	4180	geoayaq.exe	3999b02a5ea3296196d635345d1641e8e5b294de86df15b4c7877442fe2ec840.exe
PID 4180 wrote to memory of 4636	4180	geoayaq.exe	3999b02a5ea3296196d635345d1641e8e5b294de86df15b4c7877442fe2ec840.exe
PID 4180 wrote to memory of 4636	4180	geoayaq.exe	3999b02a5ea3296196d635345d1641e8e5b294de86df15b4c7877442fe2ec840.exe
PID 4180 wrote to memory of 4636	4180	geoayaq.exe	3999b02a5ea3296196d635345d1641e8e5b294de86df15b4c7877442fe2ec840.exe
PID 4180 wrote to memory of 4636	4180	geoayaq.exe	3999b02a5ea3296196d635345d1641e8e5b294de86df15b4c7877442fe2ec840.exe
PID 4180 wrote to memory of 4636	4180	geoayaq.exe	3999b02a5ea3296196d635345d1641e8e5b294de86df15b4c7877442fe2ec840.exe
PID 4180 wrote to memory of 4636	4180	geoayaq.exe	3999b02a5ea3296196d635345d1641e8e5b294de86df15b4c7877442fe2ec840.exe
PID 4180 wrote to memory of 4636	4180	geoayaq.exe	3999b02a5ea3296196d635345d1641e8e5b294de86df15b4c7877442fe2ec840.exe
PID 4180 wrote to memory of 4636	4180	geoayaq.exe	3999b02a5ea3296196d635345d1641e8e5b294de86df15b4c7877442fe2ec840.exe
PID 4180 wrote to memory of 4636	4180	geoayaq.exe	3999b02a5ea3296196d635345d1641e8e5b294de86df15b4c7877442fe2ec840.exe
PID 4180 wrote to memory of 4636	4180	geoayaq.exe	3999b02a5ea3296196d635345d1641e8e5b294de86df15b4c7877442fe2ec840.exe
PID 4180 wrote to memory of 4636	4180	geoayaq.exe	3999b02a5ea3296196d635345d1641e8e5b294de86df15b4c7877442fe2ec840.exe
PID 4180 wrote to memory of 4636	4180	geoayaq.exe	3999b02a5ea3296196d635345d1641e8e5b294de86df15b4c7877442fe2ec840.exe
PID 4180 wrote to memory of 4636	4180	geoayaq.exe	3999b02a5ea3296196d635345d1641e8e5b294de86df15b4c7877442fe2ec840.exe
PID 4180 wrote to memory of 4636	4180	geoayaq.exe	3999b02a5ea3296196d635345d1641e8e5b294de86df15b4c7877442fe2ec840.exe
PID 4180 wrote to memory of 4636	4180	geoayaq.exe	3999b02a5ea3296196d635345d1641e8e5b294de86df15b4c7877442fe2ec840.exe
PID 4180 wrote to memory of 4636	4180	geoayaq.exe	3999b02a5ea3296196d635345d1641e8e5b294de86df15b4c7877442fe2ec840.exe
PID 4180 wrote to memory of 4636	4180	geoayaq.exe	3999b02a5ea3296196d635345d1641e8e5b294de86df15b4c7877442fe2ec840.exe
PID 4180 wrote to memory of 4636	4180	geoayaq.exe	3999b02a5ea3296196d635345d1641e8e5b294de86df15b4c7877442fe2ec840.exe
PID 4180 wrote to memory of 4636	4180	geoayaq.exe	3999b02a5ea3296196d635345d1641e8e5b294de86df15b4c7877442fe2ec840.exe
PID 4180 wrote to memory of 4636	4180	geoayaq.exe	3999b02a5ea3296196d635345d1641e8e5b294de86df15b4c7877442fe2ec840.exe
PID 4180 wrote to memory of 4636	4180	geoayaq.exe	3999b02a5ea3296196d635345d1641e8e5b294de86df15b4c7877442fe2ec840.exe
PID 4180 wrote to memory of 4636	4180	geoayaq.exe	3999b02a5ea3296196d635345d1641e8e5b294de86df15b4c7877442fe2ec840.exe
PID 4180 wrote to memory of 4636	4180	geoayaq.exe	3999b02a5ea3296196d635345d1641e8e5b294de86df15b4c7877442fe2ec840.exe
PID 4180 wrote to memory of 4636	4180	geoayaq.exe	3999b02a5ea3296196d635345d1641e8e5b294de86df15b4c7877442fe2ec840.exe
PID 4180 wrote to memory of 4636	4180	geoayaq.exe	3999b02a5ea3296196d635345d1641e8e5b294de86df15b4c7877442fe2ec840.exe
PID 4180 wrote to memory of 4636	4180	geoayaq.exe	3999b02a5ea3296196d635345d1641e8e5b294de86df15b4c7877442fe2ec840.exe
PID 4180 wrote to memory of 4636	4180	geoayaq.exe	3999b02a5ea3296196d635345d1641e8e5b294de86df15b4c7877442fe2ec840.exe
PID 4180 wrote to memory of 4636	4180	geoayaq.exe	3999b02a5ea3296196d635345d1641e8e5b294de86df15b4c7877442fe2ec840.exe
PID 4180 wrote to memory of 4636	4180	geoayaq.exe	3999b02a5ea3296196d635345d1641e8e5b294de86df15b4c7877442fe2ec840.exe
PID 4180 wrote to memory of 4636	4180	geoayaq.exe	3999b02a5ea3296196d635345d1641e8e5b294de86df15b4c7877442fe2ec840.exe
PID 4180 wrote to memory of 4636	4180	geoayaq.exe	3999b02a5ea3296196d635345d1641e8e5b294de86df15b4c7877442fe2ec840.exe
PID 4180 wrote to memory of 4636	4180	geoayaq.exe	3999b02a5ea3296196d635345d1641e8e5b294de86df15b4c7877442fe2ec840.exe
PID 4180 wrote to memory of 4636	4180	geoayaq.exe	3999b02a5ea3296196d635345d1641e8e5b294de86df15b4c7877442fe2ec840.exe
PID 4180 wrote to memory of 4636	4180	geoayaq.exe	3999b02a5ea3296196d635345d1641e8e5b294de86df15b4c7877442fe2ec840.exe
PID 4180 wrote to memory of 4636	4180	geoayaq.exe	3999b02a5ea3296196d635345d1641e8e5b294de86df15b4c7877442fe2ec840.exe
PID 4180 wrote to memory of 4636	4180	geoayaq.exe	3999b02a5ea3296196d635345d1641e8e5b294de86df15b4c7877442fe2ec840.exe
PID 4180 wrote to memory of 4636	4180	geoayaq.exe	3999b02a5ea3296196d635345d1641e8e5b294de86df15b4c7877442fe2ec840.exe
PID 4180 wrote to memory of 4636	4180	geoayaq.exe	3999b02a5ea3296196d635345d1641e8e5b294de86df15b4c7877442fe2ec840.exe
PID 4180 wrote to memory of 4636	4180	geoayaq.exe	3999b02a5ea3296196d635345d1641e8e5b294de86df15b4c7877442fe2ec840.exe
PID 4180 wrote to memory of 4636	4180	geoayaq.exe	3999b02a5ea3296196d635345d1641e8e5b294de86df15b4c7877442fe2ec840.exe
PID 4180 wrote to memory of 4636	4180	geoayaq.exe	3999b02a5ea3296196d635345d1641e8e5b294de86df15b4c7877442fe2ec840.exe
PID 4180 wrote to memory of 4636	4180	geoayaq.exe	3999b02a5ea3296196d635345d1641e8e5b294de86df15b4c7877442fe2ec840.exe
PID 4180 wrote to memory of 4636	4180	geoayaq.exe	3999b02a5ea3296196d635345d1641e8e5b294de86df15b4c7877442fe2ec840.exe
PID 4180 wrote to memory of 4636	4180	geoayaq.exe	3999b02a5ea3296196d635345d1641e8e5b294de86df15b4c7877442fe2ec840.exe
PID 4180 wrote to memory of 4636	4180	geoayaq.exe	3999b02a5ea3296196d635345d1641e8e5b294de86df15b4c7877442fe2ec840.exe
PID 4180 wrote to memory of 4636	4180	geoayaq.exe	3999b02a5ea3296196d635345d1641e8e5b294de86df15b4c7877442fe2ec840.exe

C:\Users\Admin\AppData\Local\Temp\3999b02a5ea3296196d635345d1641e8e5b294de86df15b4c7877442fe2ec840.exe
"C:\Users\Admin\AppData\Local\Temp\3999b02a5ea3296196d635345d1641e8e5b294de86df15b4c7877442fe2ec840.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4636

C:\Users\Admin\geoayaq.exe
"C:\Users\Admin\geoayaq.exe"
2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4180

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\geoayaq.exe

Filesize
244KB

MD5
edbe8501fd3dfd80ff30c65df59a7183

SHA1
41b74dc45b509ff2e04f551111c901f849e3fc04

SHA256
34b3c0eee8018deeb0c76e73407df92af8fa6ffd98139051d6fa1f8880d65afb

SHA512
55e3a5cefc99e82c54e4eab23af810d563380a6a587f94284ce050623e727632a6d7916e69868a95dd1bc8031130d76d77b0d35d4afc84257def89a822f772e4

Download Submit
C:\Users\Admin\geoayaq.exe

Filesize
244KB

MD5
edbe8501fd3dfd80ff30c65df59a7183

SHA1
41b74dc45b509ff2e04f551111c901f849e3fc04

SHA256
34b3c0eee8018deeb0c76e73407df92af8fa6ffd98139051d6fa1f8880d65afb

SHA512
55e3a5cefc99e82c54e4eab23af810d563380a6a587f94284ce050623e727632a6d7916e69868a95dd1bc8031130d76d77b0d35d4afc84257def89a822f772e4

Download Submit
memory/4180-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads