af8983f7b686a043ffc12cbbf3a03809853651304817adbfa9f3b5f4d9890835

General

Target

af8983f7b686a043ffc12cbbf3a03809853651304817adbfa9f3b5f4d9890835.exe
Size

88KB
MD5

ce8f25bea2d697253fca83276f73dd72
SHA1

3099a4b94f466dd046510b2a0cc67f79d00f9638
SHA256

af8983f7b686a043ffc12cbbf3a03809853651304817adbfa9f3b5f4d9890835
SHA512

4103c00b956ed301e8956f347e48f17349c6ca6bf66e3a2bae2067128c404b6e610da0fdc1aa5e660b645095a2c0d8e0953e908a3a674531962029539cb50811
SSDEEP

768:3DFIbMrddaqnObOasGEwU8Z1Rbe2kjEQJQ1H7a8zFkzqcwORyrI:BIAeiCU8Z1QjEQJecwOQU

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

geuroem.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	geuroem.exe

Executes dropped EXE 1 IoCs

Processes:

geuroem.exe

pid process

788 geuroem.exe

Loads dropped DLL 2 IoCs

Processes:

af8983f7b686a043ffc12cbbf3a03809853651304817adbfa9f3b5f4d9890835.exe

pid	process
1440	af8983f7b686a043ffc12cbbf3a03809853651304817adbfa9f3b5f4d9890835.exe
1440	af8983f7b686a043ffc12cbbf3a03809853651304817adbfa9f3b5f4d9890835.exe

Adds Run key to start application 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

geuroem.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\geuroem = "C:\\Users\\Admin\\geuroem.exe /r"	geuroem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\geuroem = "C:\\Users\\Admin\\geuroem.exe /c"	geuroem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\geuroem = "C:\\Users\\Admin\\geuroem.exe /L"	geuroem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\geuroem = "C:\\Users\\Admin\\geuroem.exe /K"	geuroem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\geuroem = "C:\\Users\\Admin\\geuroem.exe /s"	geuroem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\geuroem = "C:\\Users\\Admin\\geuroem.exe /J"	geuroem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\geuroem = "C:\\Users\\Admin\\geuroem.exe /p"	geuroem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\geuroem = "C:\\Users\\Admin\\geuroem.exe /g"	geuroem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\geuroem = "C:\\Users\\Admin\\geuroem.exe /A"	geuroem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\geuroem = "C:\\Users\\Admin\\geuroem.exe /S"	geuroem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\geuroem = "C:\\Users\\Admin\\geuroem.exe /f"	geuroem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\geuroem = "C:\\Users\\Admin\\geuroem.exe /Y"	geuroem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\geuroem = "C:\\Users\\Admin\\geuroem.exe /H"	geuroem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\geuroem = "C:\\Users\\Admin\\geuroem.exe /y"	geuroem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\geuroem = "C:\\Users\\Admin\\geuroem.exe /i"	geuroem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\geuroem = "C:\\Users\\Admin\\geuroem.exe /b"	geuroem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\geuroem = "C:\\Users\\Admin\\geuroem.exe /N"	geuroem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\geuroem = "C:\\Users\\Admin\\geuroem.exe /F"	geuroem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\geuroem = "C:\\Users\\Admin\\geuroem.exe /Q"	geuroem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\geuroem = "C:\\Users\\Admin\\geuroem.exe /G"	geuroem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\geuroem = "C:\\Users\\Admin\\geuroem.exe /n"	geuroem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\geuroem = "C:\\Users\\Admin\\geuroem.exe /E"	geuroem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\geuroem = "C:\\Users\\Admin\\geuroem.exe /w"	geuroem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\geuroem = "C:\\Users\\Admin\\geuroem.exe /D"	geuroem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\geuroem = "C:\\Users\\Admin\\geuroem.exe /x"	geuroem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\geuroem = "C:\\Users\\Admin\\geuroem.exe /q"	geuroem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\geuroem = "C:\\Users\\Admin\\geuroem.exe /t"	geuroem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\geuroem = "C:\\Users\\Admin\\geuroem.exe /a"	geuroem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\geuroem = "C:\\Users\\Admin\\geuroem.exe /T"	geuroem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\geuroem = "C:\\Users\\Admin\\geuroem.exe /e"	geuroem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\geuroem = "C:\\Users\\Admin\\geuroem.exe /o"	geuroem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\geuroem = "C:\\Users\\Admin\\geuroem.exe /I"	geuroem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\geuroem = "C:\\Users\\Admin\\geuroem.exe /R"	geuroem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\geuroem = "C:\\Users\\Admin\\geuroem.exe /l"	geuroem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\geuroem = "C:\\Users\\Admin\\geuroem.exe /U"	geuroem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\geuroem = "C:\\Users\\Admin\\geuroem.exe /j"	geuroem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\geuroem = "C:\\Users\\Admin\\geuroem.exe /h"	geuroem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\geuroem = "C:\\Users\\Admin\\geuroem.exe /V"	geuroem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\geuroem = "C:\\Users\\Admin\\geuroem.exe /C"	geuroem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\geuroem = "C:\\Users\\Admin\\geuroem.exe /M"	geuroem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\geuroem = "C:\\Users\\Admin\\geuroem.exe /z"	geuroem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\geuroem = "C:\\Users\\Admin\\geuroem.exe /Z"	geuroem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\geuroem = "C:\\Users\\Admin\\geuroem.exe /v"	geuroem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\geuroem = "C:\\Users\\Admin\\geuroem.exe /O"	geuroem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\geuroem = "C:\\Users\\Admin\\geuroem.exe /m"	geuroem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\geuroem = "C:\\Users\\Admin\\geuroem.exe /B"	geuroem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\geuroem = "C:\\Users\\Admin\\geuroem.exe /u"	geuroem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\geuroem = "C:\\Users\\Admin\\geuroem.exe /X"	geuroem.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\	geuroem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\geuroem = "C:\\Users\\Admin\\geuroem.exe /k"	geuroem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\geuroem = "C:\\Users\\Admin\\geuroem.exe /P"	geuroem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\geuroem = "C:\\Users\\Admin\\geuroem.exe /d"	geuroem.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

geuroem.exe

pid	process
788	geuroem.exe
788	geuroem.exe
788	geuroem.exe
788	geuroem.exe
788	geuroem.exe
788	geuroem.exe
788	geuroem.exe
788	geuroem.exe
788	geuroem.exe
788	geuroem.exe
788	geuroem.exe
788	geuroem.exe
788	geuroem.exe
788	geuroem.exe
788	geuroem.exe
788	geuroem.exe
788	geuroem.exe
788	geuroem.exe
788	geuroem.exe
788	geuroem.exe
788	geuroem.exe
788	geuroem.exe
788	geuroem.exe
788	geuroem.exe
788	geuroem.exe
788	geuroem.exe
788	geuroem.exe
788	geuroem.exe
788	geuroem.exe
788	geuroem.exe
788	geuroem.exe
788	geuroem.exe
788	geuroem.exe
788	geuroem.exe
788	geuroem.exe
788	geuroem.exe
788	geuroem.exe
788	geuroem.exe
788	geuroem.exe
788	geuroem.exe
788	geuroem.exe
788	geuroem.exe
788	geuroem.exe
788	geuroem.exe
788	geuroem.exe
788	geuroem.exe
788	geuroem.exe
788	geuroem.exe
788	geuroem.exe
788	geuroem.exe
788	geuroem.exe
788	geuroem.exe
788	geuroem.exe
788	geuroem.exe
788	geuroem.exe
788	geuroem.exe
788	geuroem.exe
788	geuroem.exe
788	geuroem.exe
788	geuroem.exe
788	geuroem.exe
788	geuroem.exe
788	geuroem.exe
788	geuroem.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

af8983f7b686a043ffc12cbbf3a03809853651304817adbfa9f3b5f4d9890835.exegeuroem.exe

pid process

1440 af8983f7b686a043ffc12cbbf3a03809853651304817adbfa9f3b5f4d9890835.exe
788 geuroem.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

af8983f7b686a043ffc12cbbf3a03809853651304817adbfa9f3b5f4d9890835.exegeuroem.exe

description	pid	process	target process
PID 1440 wrote to memory of 788	1440	af8983f7b686a043ffc12cbbf3a03809853651304817adbfa9f3b5f4d9890835.exe	geuroem.exe
PID 1440 wrote to memory of 788	1440	af8983f7b686a043ffc12cbbf3a03809853651304817adbfa9f3b5f4d9890835.exe	geuroem.exe
PID 1440 wrote to memory of 788	1440	af8983f7b686a043ffc12cbbf3a03809853651304817adbfa9f3b5f4d9890835.exe	geuroem.exe
PID 1440 wrote to memory of 788	1440	af8983f7b686a043ffc12cbbf3a03809853651304817adbfa9f3b5f4d9890835.exe	geuroem.exe
PID 788 wrote to memory of 1440	788	geuroem.exe	af8983f7b686a043ffc12cbbf3a03809853651304817adbfa9f3b5f4d9890835.exe
PID 788 wrote to memory of 1440	788	geuroem.exe	af8983f7b686a043ffc12cbbf3a03809853651304817adbfa9f3b5f4d9890835.exe
PID 788 wrote to memory of 1440	788	geuroem.exe	af8983f7b686a043ffc12cbbf3a03809853651304817adbfa9f3b5f4d9890835.exe
PID 788 wrote to memory of 1440	788	geuroem.exe	af8983f7b686a043ffc12cbbf3a03809853651304817adbfa9f3b5f4d9890835.exe
PID 788 wrote to memory of 1440	788	geuroem.exe	af8983f7b686a043ffc12cbbf3a03809853651304817adbfa9f3b5f4d9890835.exe
PID 788 wrote to memory of 1440	788	geuroem.exe	af8983f7b686a043ffc12cbbf3a03809853651304817adbfa9f3b5f4d9890835.exe
PID 788 wrote to memory of 1440	788	geuroem.exe	af8983f7b686a043ffc12cbbf3a03809853651304817adbfa9f3b5f4d9890835.exe
PID 788 wrote to memory of 1440	788	geuroem.exe	af8983f7b686a043ffc12cbbf3a03809853651304817adbfa9f3b5f4d9890835.exe
PID 788 wrote to memory of 1440	788	geuroem.exe	af8983f7b686a043ffc12cbbf3a03809853651304817adbfa9f3b5f4d9890835.exe
PID 788 wrote to memory of 1440	788	geuroem.exe	af8983f7b686a043ffc12cbbf3a03809853651304817adbfa9f3b5f4d9890835.exe
PID 788 wrote to memory of 1440	788	geuroem.exe	af8983f7b686a043ffc12cbbf3a03809853651304817adbfa9f3b5f4d9890835.exe
PID 788 wrote to memory of 1440	788	geuroem.exe	af8983f7b686a043ffc12cbbf3a03809853651304817adbfa9f3b5f4d9890835.exe
PID 788 wrote to memory of 1440	788	geuroem.exe	af8983f7b686a043ffc12cbbf3a03809853651304817adbfa9f3b5f4d9890835.exe
PID 788 wrote to memory of 1440	788	geuroem.exe	af8983f7b686a043ffc12cbbf3a03809853651304817adbfa9f3b5f4d9890835.exe
PID 788 wrote to memory of 1440	788	geuroem.exe	af8983f7b686a043ffc12cbbf3a03809853651304817adbfa9f3b5f4d9890835.exe
PID 788 wrote to memory of 1440	788	geuroem.exe	af8983f7b686a043ffc12cbbf3a03809853651304817adbfa9f3b5f4d9890835.exe
PID 788 wrote to memory of 1440	788	geuroem.exe	af8983f7b686a043ffc12cbbf3a03809853651304817adbfa9f3b5f4d9890835.exe
PID 788 wrote to memory of 1440	788	geuroem.exe	af8983f7b686a043ffc12cbbf3a03809853651304817adbfa9f3b5f4d9890835.exe
PID 788 wrote to memory of 1440	788	geuroem.exe	af8983f7b686a043ffc12cbbf3a03809853651304817adbfa9f3b5f4d9890835.exe
PID 788 wrote to memory of 1440	788	geuroem.exe	af8983f7b686a043ffc12cbbf3a03809853651304817adbfa9f3b5f4d9890835.exe
PID 788 wrote to memory of 1440	788	geuroem.exe	af8983f7b686a043ffc12cbbf3a03809853651304817adbfa9f3b5f4d9890835.exe
PID 788 wrote to memory of 1440	788	geuroem.exe	af8983f7b686a043ffc12cbbf3a03809853651304817adbfa9f3b5f4d9890835.exe
PID 788 wrote to memory of 1440	788	geuroem.exe	af8983f7b686a043ffc12cbbf3a03809853651304817adbfa9f3b5f4d9890835.exe
PID 788 wrote to memory of 1440	788	geuroem.exe	af8983f7b686a043ffc12cbbf3a03809853651304817adbfa9f3b5f4d9890835.exe
PID 788 wrote to memory of 1440	788	geuroem.exe	af8983f7b686a043ffc12cbbf3a03809853651304817adbfa9f3b5f4d9890835.exe
PID 788 wrote to memory of 1440	788	geuroem.exe	af8983f7b686a043ffc12cbbf3a03809853651304817adbfa9f3b5f4d9890835.exe
PID 788 wrote to memory of 1440	788	geuroem.exe	af8983f7b686a043ffc12cbbf3a03809853651304817adbfa9f3b5f4d9890835.exe
PID 788 wrote to memory of 1440	788	geuroem.exe	af8983f7b686a043ffc12cbbf3a03809853651304817adbfa9f3b5f4d9890835.exe
PID 788 wrote to memory of 1440	788	geuroem.exe	af8983f7b686a043ffc12cbbf3a03809853651304817adbfa9f3b5f4d9890835.exe
PID 788 wrote to memory of 1440	788	geuroem.exe	af8983f7b686a043ffc12cbbf3a03809853651304817adbfa9f3b5f4d9890835.exe
PID 788 wrote to memory of 1440	788	geuroem.exe	af8983f7b686a043ffc12cbbf3a03809853651304817adbfa9f3b5f4d9890835.exe
PID 788 wrote to memory of 1440	788	geuroem.exe	af8983f7b686a043ffc12cbbf3a03809853651304817adbfa9f3b5f4d9890835.exe
PID 788 wrote to memory of 1440	788	geuroem.exe	af8983f7b686a043ffc12cbbf3a03809853651304817adbfa9f3b5f4d9890835.exe
PID 788 wrote to memory of 1440	788	geuroem.exe	af8983f7b686a043ffc12cbbf3a03809853651304817adbfa9f3b5f4d9890835.exe
PID 788 wrote to memory of 1440	788	geuroem.exe	af8983f7b686a043ffc12cbbf3a03809853651304817adbfa9f3b5f4d9890835.exe
PID 788 wrote to memory of 1440	788	geuroem.exe	af8983f7b686a043ffc12cbbf3a03809853651304817adbfa9f3b5f4d9890835.exe
PID 788 wrote to memory of 1440	788	geuroem.exe	af8983f7b686a043ffc12cbbf3a03809853651304817adbfa9f3b5f4d9890835.exe
PID 788 wrote to memory of 1440	788	geuroem.exe	af8983f7b686a043ffc12cbbf3a03809853651304817adbfa9f3b5f4d9890835.exe
PID 788 wrote to memory of 1440	788	geuroem.exe	af8983f7b686a043ffc12cbbf3a03809853651304817adbfa9f3b5f4d9890835.exe
PID 788 wrote to memory of 1440	788	geuroem.exe	af8983f7b686a043ffc12cbbf3a03809853651304817adbfa9f3b5f4d9890835.exe
PID 788 wrote to memory of 1440	788	geuroem.exe	af8983f7b686a043ffc12cbbf3a03809853651304817adbfa9f3b5f4d9890835.exe
PID 788 wrote to memory of 1440	788	geuroem.exe	af8983f7b686a043ffc12cbbf3a03809853651304817adbfa9f3b5f4d9890835.exe
PID 788 wrote to memory of 1440	788	geuroem.exe	af8983f7b686a043ffc12cbbf3a03809853651304817adbfa9f3b5f4d9890835.exe
PID 788 wrote to memory of 1440	788	geuroem.exe	af8983f7b686a043ffc12cbbf3a03809853651304817adbfa9f3b5f4d9890835.exe
PID 788 wrote to memory of 1440	788	geuroem.exe	af8983f7b686a043ffc12cbbf3a03809853651304817adbfa9f3b5f4d9890835.exe
PID 788 wrote to memory of 1440	788	geuroem.exe	af8983f7b686a043ffc12cbbf3a03809853651304817adbfa9f3b5f4d9890835.exe
PID 788 wrote to memory of 1440	788	geuroem.exe	af8983f7b686a043ffc12cbbf3a03809853651304817adbfa9f3b5f4d9890835.exe
PID 788 wrote to memory of 1440	788	geuroem.exe	af8983f7b686a043ffc12cbbf3a03809853651304817adbfa9f3b5f4d9890835.exe
PID 788 wrote to memory of 1440	788	geuroem.exe	af8983f7b686a043ffc12cbbf3a03809853651304817adbfa9f3b5f4d9890835.exe
PID 788 wrote to memory of 1440	788	geuroem.exe	af8983f7b686a043ffc12cbbf3a03809853651304817adbfa9f3b5f4d9890835.exe
PID 788 wrote to memory of 1440	788	geuroem.exe	af8983f7b686a043ffc12cbbf3a03809853651304817adbfa9f3b5f4d9890835.exe
PID 788 wrote to memory of 1440	788	geuroem.exe	af8983f7b686a043ffc12cbbf3a03809853651304817adbfa9f3b5f4d9890835.exe
PID 788 wrote to memory of 1440	788	geuroem.exe	af8983f7b686a043ffc12cbbf3a03809853651304817adbfa9f3b5f4d9890835.exe
PID 788 wrote to memory of 1440	788	geuroem.exe	af8983f7b686a043ffc12cbbf3a03809853651304817adbfa9f3b5f4d9890835.exe
PID 788 wrote to memory of 1440	788	geuroem.exe	af8983f7b686a043ffc12cbbf3a03809853651304817adbfa9f3b5f4d9890835.exe
PID 788 wrote to memory of 1440	788	geuroem.exe	af8983f7b686a043ffc12cbbf3a03809853651304817adbfa9f3b5f4d9890835.exe
PID 788 wrote to memory of 1440	788	geuroem.exe	af8983f7b686a043ffc12cbbf3a03809853651304817adbfa9f3b5f4d9890835.exe
PID 788 wrote to memory of 1440	788	geuroem.exe	af8983f7b686a043ffc12cbbf3a03809853651304817adbfa9f3b5f4d9890835.exe
PID 788 wrote to memory of 1440	788	geuroem.exe	af8983f7b686a043ffc12cbbf3a03809853651304817adbfa9f3b5f4d9890835.exe
PID 788 wrote to memory of 1440	788	geuroem.exe	af8983f7b686a043ffc12cbbf3a03809853651304817adbfa9f3b5f4d9890835.exe

C:\Users\Admin\AppData\Local\Temp\af8983f7b686a043ffc12cbbf3a03809853651304817adbfa9f3b5f4d9890835.exe
"C:\Users\Admin\AppData\Local\Temp\af8983f7b686a043ffc12cbbf3a03809853651304817adbfa9f3b5f4d9890835.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1440

C:\Users\Admin\geuroem.exe
"C:\Users\Admin\geuroem.exe"
2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:788

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\geuroem.exe

Filesize
88KB

MD5
7c1c3d5286891773e810201d5c7be669

SHA1
57fa8a19acdc2a9fb14c8c17dda4e11d888d12df

SHA256
1a7e12d465202f13d921ea01e4cd93c98814f81726e25c5ce68d350d2991aef4

SHA512
d8269986a889ec2b7a52384c6f76b94fd774235e0d14cca875b55b7e089c0d31fb0ba0d0733fda31a590cc7c739ffc6749ee60009c9bbabace228ed8bc046216

Download Submit
C:\Users\Admin\geuroem.exe

Filesize
88KB

MD5
7c1c3d5286891773e810201d5c7be669

SHA1
57fa8a19acdc2a9fb14c8c17dda4e11d888d12df

SHA256
1a7e12d465202f13d921ea01e4cd93c98814f81726e25c5ce68d350d2991aef4

SHA512
d8269986a889ec2b7a52384c6f76b94fd774235e0d14cca875b55b7e089c0d31fb0ba0d0733fda31a590cc7c739ffc6749ee60009c9bbabace228ed8bc046216

Download Submit
\Users\Admin\geuroem.exe

Filesize
88KB

MD5
7c1c3d5286891773e810201d5c7be669

SHA1
57fa8a19acdc2a9fb14c8c17dda4e11d888d12df

SHA256
1a7e12d465202f13d921ea01e4cd93c98814f81726e25c5ce68d350d2991aef4

SHA512
d8269986a889ec2b7a52384c6f76b94fd774235e0d14cca875b55b7e089c0d31fb0ba0d0733fda31a590cc7c739ffc6749ee60009c9bbabace228ed8bc046216

Download Submit
\Users\Admin\geuroem.exe

Filesize
88KB

MD5
7c1c3d5286891773e810201d5c7be669

SHA1
57fa8a19acdc2a9fb14c8c17dda4e11d888d12df

SHA256
1a7e12d465202f13d921ea01e4cd93c98814f81726e25c5ce68d350d2991aef4

SHA512
d8269986a889ec2b7a52384c6f76b94fd774235e0d14cca875b55b7e089c0d31fb0ba0d0733fda31a590cc7c739ffc6749ee60009c9bbabace228ed8bc046216

Download Submit
memory/788-59-0x0000000000000000-mapping.dmp

Download
memory/1440-56-0x0000000076181000-0x0000000076183000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads