91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2

Analysis

max time kernel
152s
max time network
43s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29/11/2022, 06:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe
Size

294KB
MD5

2e9953436b0a50e6790b4aca52ccdcbc
SHA1

cd204cc097daa5145f500d0658949c2fc000f7f5
SHA256

91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2
SHA512

558c6e8a1a8b729803709d42992adaed69629a0d3d5ddd0a120563c406a43b2f0633e19587383db61d72bc1395a06f966550f5b19c9dfc945ec738c27ff09101
SSDEEP

6144:cii/AdpkpF7yz3CydFEkDaAB5b43PQWOn3jEbF6pOO5N1A1KNP:CATkFa3nd+6aa1koW23QYpOq5

Score

7^/10

persistence

Malware Config

Signatures

Loads dropped DLL 5 IoCs

pid	Process
892	rundll32.exe
892	rundll32.exe
892	rundll32.exe
892	rundll32.exe
784	91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\effecbaudio = "rundll32.exe \"geedec.dll\",s"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\gebbabaudio = "rundll32.exe \"geedec.dll\",s"	rundll32.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\geedec.dll	91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Portal\PortalConnectCore.dll	91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\RECALL.DLL	91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\CAGCAT10.DLL	91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_ms.dll	91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\MSOSEC.DLL	91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\XLCALL32.DLL	91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeUpdater.dll	91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1040\hxdsui.dll	91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\penjpn.dll	91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1028\hxdsui.dll	91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\pdfshell.dll	91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\System.IdentityModel.Resources.dll	91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdateOnDemand.exe	91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\stdole.dll	91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EURO\MSOEURO.DLL	91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\NAMECONTROLPROXY.DLL	91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Services.Client.dll	91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ONBttnOL.dll	91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\IPEDINTL.DLL	91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\IMCONTACT.DLL	91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Wordcnv.dll	91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\msdadc.dll	91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Xml.Linq.Resources.dll	91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_mr.dll	91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\System.IdentityModel.Resources.dll	91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_sl.dll	91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Web.Entity.Resources.dll	91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\Microsoft.VisualStudio.Tools.Applications.ComRPCChannel.dll	91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\BRANDING.DLL	91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll	91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\USP10.DLL	91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ReachFramework.dll	91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.DynamicData.Design.dll	91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SETLANG.EXE	91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\InkObj.dll	91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveIntlResource.dll	91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\NL7MODELS000C.dll	91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_sr.dll	91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BULLETS.DLL	91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSLaunch.dll	91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\NPSPWRAP.DLL	91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEERR.DLL	91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\WindowsBase.dll	91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.Speech.resources.dll	91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PPSLAX.DLL	91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Windows.Presentation.resources.dll	91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.dll	91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.DataSetExtensions.Resources.dll	91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\WindowsFormsIntegration.resources.dll	91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Core.dll	91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1046\hxdsui.dll	91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\MpAsDesc.dll	91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\System.Printing.resources.dll	91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\VSTAProject.dll	91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Web.Entity.Resources.dll	91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\WindowsFormsIntegration.resources.dll	91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\ACCDDSUI.DLL	91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mshwjpnr.dll	91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\Microsoft.Build.Utilities.v3.5.resources.dll	91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
892	rundll32.exe
892	rundll32.exe
892	rundll32.exe
892	rundll32.exe
892	rundll32.exe
892	rundll32.exe
892	rundll32.exe
892	rundll32.exe
892	rundll32.exe
892	rundll32.exe
892	rundll32.exe
892	rundll32.exe
892	rundll32.exe
892	rundll32.exe
892	rundll32.exe
892	rundll32.exe
892	rundll32.exe
892	rundll32.exe
892	rundll32.exe
892	rundll32.exe
892	rundll32.exe
892	rundll32.exe
892	rundll32.exe
892	rundll32.exe
892	rundll32.exe
892	rundll32.exe
892	rundll32.exe
892	rundll32.exe
892	rundll32.exe
892	rundll32.exe
892	rundll32.exe
892	rundll32.exe
892	rundll32.exe
892	rundll32.exe
892	rundll32.exe
892	rundll32.exe
892	rundll32.exe
892	rundll32.exe
892	rundll32.exe
892	rundll32.exe
892	rundll32.exe
892	rundll32.exe
892	rundll32.exe
892	rundll32.exe
892	rundll32.exe
892	rundll32.exe
892	rundll32.exe
892	rundll32.exe
892	rundll32.exe
892	rundll32.exe
892	rundll32.exe
892	rundll32.exe
892	rundll32.exe
892	rundll32.exe
892	rundll32.exe
892	rundll32.exe
892	rundll32.exe
892	rundll32.exe
892	rundll32.exe
892	rundll32.exe
892	rundll32.exe
892	rundll32.exe
892	rundll32.exe
892	rundll32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	892	rundll32.exe
Token: SeDebugPrivilege	892	rundll32.exe
Token: SeDebugPrivilege	892	rundll32.exe
Token: SeDebugPrivilege	892	rundll32.exe
Token: SeDebugPrivilege	892	rundll32.exe
Token: SeDebugPrivilege	892	rundll32.exe
Token: SeDebugPrivilege	892	rundll32.exe
Token: SeDebugPrivilege	892	rundll32.exe
Token: SeDebugPrivilege	892	rundll32.exe
Token: SeDebugPrivilege	892	rundll32.exe
Token: SeDebugPrivilege	892	rundll32.exe
Token: SeDebugPrivilege	892	rundll32.exe
Token: SeDebugPrivilege	892	rundll32.exe
Token: SeDebugPrivilege	892	rundll32.exe
Token: SeDebugPrivilege	892	rundll32.exe
Token: SeDebugPrivilege	892	rundll32.exe
Token: SeDebugPrivilege	892	rundll32.exe
Token: SeDebugPrivilege	892	rundll32.exe
Token: SeDebugPrivilege	892	rundll32.exe
Token: SeDebugPrivilege	892	rundll32.exe
Token: SeDebugPrivilege	892	rundll32.exe
Token: SeDebugPrivilege	892	rundll32.exe
Token: SeDebugPrivilege	892	rundll32.exe
Token: SeDebugPrivilege	892	rundll32.exe
Token: SeDebugPrivilege	892	rundll32.exe
Token: SeDebugPrivilege	892	rundll32.exe
Token: SeDebugPrivilege	892	rundll32.exe
Token: SeDebugPrivilege	892	rundll32.exe
Token: SeDebugPrivilege	892	rundll32.exe
Token: SeDebugPrivilege	892	rundll32.exe
Token: SeDebugPrivilege	892	rundll32.exe
Token: SeDebugPrivilege	892	rundll32.exe
Token: SeDebugPrivilege	892	rundll32.exe
Token: SeDebugPrivilege	892	rundll32.exe
Token: SeDebugPrivilege	892	rundll32.exe
Token: SeDebugPrivilege	892	rundll32.exe
Token: SeDebugPrivilege	892	rundll32.exe
Token: SeDebugPrivilege	892	rundll32.exe
Token: SeDebugPrivilege	892	rundll32.exe
Token: SeDebugPrivilege	892	rundll32.exe
Token: SeDebugPrivilege	892	rundll32.exe
Token: SeDebugPrivilege	892	rundll32.exe
Token: SeDebugPrivilege	892	rundll32.exe
Token: SeDebugPrivilege	892	rundll32.exe
Token: SeDebugPrivilege	892	rundll32.exe
Token: SeDebugPrivilege	892	rundll32.exe
Token: SeDebugPrivilege	892	rundll32.exe
Token: SeDebugPrivilege	892	rundll32.exe
Token: SeDebugPrivilege	892	rundll32.exe
Token: SeDebugPrivilege	892	rundll32.exe
Token: SeDebugPrivilege	892	rundll32.exe
Token: SeDebugPrivilege	892	rundll32.exe
Token: SeDebugPrivilege	892	rundll32.exe
Token: SeDebugPrivilege	892	rundll32.exe
Token: SeDebugPrivilege	892	rundll32.exe
Token: SeDebugPrivilege	892	rundll32.exe
Token: SeDebugPrivilege	892	rundll32.exe
Token: SeDebugPrivilege	892	rundll32.exe
Token: SeDebugPrivilege	892	rundll32.exe
Token: SeDebugPrivilege	892	rundll32.exe
Token: SeDebugPrivilege	892	rundll32.exe
Token: SeDebugPrivilege	892	rundll32.exe
Token: SeDebugPrivilege	892	rundll32.exe
Token: SeDebugPrivilege	892	rundll32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 784 wrote to memory of 892	784	91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe	26
PID 784 wrote to memory of 892	784	91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe	26
PID 784 wrote to memory of 892	784	91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe	26
PID 784 wrote to memory of 892	784	91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe	26
PID 784 wrote to memory of 892	784	91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe	26
PID 784 wrote to memory of 892	784	91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe	26
PID 784 wrote to memory of 892	784	91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe	26
PID 892 wrote to memory of 1360	892	rundll32.exe	9
PID 892 wrote to memory of 416	892	rundll32.exe	21
PID 892 wrote to memory of 1232	892	rundll32.exe	11
PID 892 wrote to memory of 1312	892	rundll32.exe	10
PID 892 wrote to memory of 784	892	rundll32.exe	17
PID 892 wrote to memory of 1360	892	rundll32.exe	9
PID 892 wrote to memory of 1360	892	rundll32.exe	9
PID 892 wrote to memory of 1360	892	rundll32.exe	9
PID 892 wrote to memory of 1360	892	rundll32.exe	9
PID 892 wrote to memory of 1360	892	rundll32.exe	9
PID 892 wrote to memory of 1360	892	rundll32.exe	9
PID 892 wrote to memory of 1360	892	rundll32.exe	9
PID 892 wrote to memory of 1360	892	rundll32.exe	9
PID 892 wrote to memory of 1360	892	rundll32.exe	9
PID 892 wrote to memory of 1360	892	rundll32.exe	9
PID 892 wrote to memory of 1360	892	rundll32.exe	9
PID 892 wrote to memory of 1360	892	rundll32.exe	9
PID 892 wrote to memory of 1360	892	rundll32.exe	9
PID 892 wrote to memory of 1360	892	rundll32.exe	9
PID 892 wrote to memory of 1360	892	rundll32.exe	9
PID 892 wrote to memory of 1360	892	rundll32.exe	9
PID 892 wrote to memory of 1360	892	rundll32.exe	9
PID 892 wrote to memory of 1360	892	rundll32.exe	9
PID 892 wrote to memory of 1360	892	rundll32.exe	9
PID 892 wrote to memory of 1360	892	rundll32.exe	9
PID 892 wrote to memory of 1360	892	rundll32.exe	9
PID 892 wrote to memory of 1360	892	rundll32.exe	9
PID 892 wrote to memory of 1360	892	rundll32.exe	9
PID 892 wrote to memory of 1360	892	rundll32.exe	9
PID 892 wrote to memory of 1360	892	rundll32.exe	9
PID 892 wrote to memory of 1360	892	rundll32.exe	9
PID 892 wrote to memory of 1360	892	rundll32.exe	9
PID 892 wrote to memory of 1360	892	rundll32.exe	9
PID 892 wrote to memory of 1360	892	rundll32.exe	9
PID 892 wrote to memory of 1360	892	rundll32.exe	9
PID 892 wrote to memory of 1360	892	rundll32.exe	9
PID 892 wrote to memory of 1360	892	rundll32.exe	9
PID 892 wrote to memory of 1360	892	rundll32.exe	9
PID 892 wrote to memory of 1360	892	rundll32.exe	9
PID 892 wrote to memory of 1360	892	rundll32.exe	9
PID 892 wrote to memory of 1360	892	rundll32.exe	9
PID 892 wrote to memory of 1360	892	rundll32.exe	9
PID 892 wrote to memory of 1360	892	rundll32.exe	9
PID 892 wrote to memory of 1360	892	rundll32.exe	9
PID 892 wrote to memory of 1360	892	rundll32.exe	9
PID 892 wrote to memory of 1360	892	rundll32.exe	9
PID 892 wrote to memory of 1360	892	rundll32.exe	9
PID 892 wrote to memory of 1360	892	rundll32.exe	9
PID 892 wrote to memory of 1360	892	rundll32.exe	9
PID 892 wrote to memory of 1360	892	rundll32.exe	9
PID 892 wrote to memory of 1360	892	rundll32.exe	9
PID 892 wrote to memory of 1360	892	rundll32.exe	9
PID 892 wrote to memory of 1360	892	rundll32.exe	9
PID 892 wrote to memory of 1360	892	rundll32.exe	9
PID 892 wrote to memory of 1360	892	rundll32.exe	9
PID 892 wrote to memory of 1360	892	rundll32.exe	9
PID 892 wrote to memory of 1360	892	rundll32.exe	9

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1360
- C:\Users\Admin\AppData\Local\Temp\91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe
  "C:\Users\Admin\AppData\Local\Temp\91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:784
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Windows\system32\geedec.dll",s
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:892

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1312

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1232

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:416

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\geedec.dll

Filesize
294KB

MD5
42c7ecb13220f1f8ab2ce8edd78379bc

SHA1
e27888ba34504f85590f2f44df2ff199ece7fdc4

SHA256
776b12213650b1daac6722c53f1e1b750ac821a708147a71ec1862021e7647cf

SHA512
3bdf1962247fab37d4266f4ddf5f71b2f374e1212f6b66acf543774d8bfc9a41b6913cdaf2ebc886bb8f405722fb4d01b8670fe378fe1f9713a945ec1963d984

Download Submit
\Windows\SysWOW64\geedec.dll

Filesize
294KB

MD5
42c7ecb13220f1f8ab2ce8edd78379bc

SHA1
e27888ba34504f85590f2f44df2ff199ece7fdc4

SHA256
776b12213650b1daac6722c53f1e1b750ac821a708147a71ec1862021e7647cf

SHA512
3bdf1962247fab37d4266f4ddf5f71b2f374e1212f6b66acf543774d8bfc9a41b6913cdaf2ebc886bb8f405722fb4d01b8670fe378fe1f9713a945ec1963d984

Download Submit
\Windows\SysWOW64\geedec.dll

Filesize
294KB

MD5
42c7ecb13220f1f8ab2ce8edd78379bc

SHA1
e27888ba34504f85590f2f44df2ff199ece7fdc4

SHA256
776b12213650b1daac6722c53f1e1b750ac821a708147a71ec1862021e7647cf

SHA512
3bdf1962247fab37d4266f4ddf5f71b2f374e1212f6b66acf543774d8bfc9a41b6913cdaf2ebc886bb8f405722fb4d01b8670fe378fe1f9713a945ec1963d984

Download Submit
\Windows\SysWOW64\geedec.dll

Filesize
294KB

MD5
42c7ecb13220f1f8ab2ce8edd78379bc

SHA1
e27888ba34504f85590f2f44df2ff199ece7fdc4

SHA256
776b12213650b1daac6722c53f1e1b750ac821a708147a71ec1862021e7647cf

SHA512
3bdf1962247fab37d4266f4ddf5f71b2f374e1212f6b66acf543774d8bfc9a41b6913cdaf2ebc886bb8f405722fb4d01b8670fe378fe1f9713a945ec1963d984

Download Submit
\Windows\SysWOW64\geedec.dll

Filesize
294KB

MD5
42c7ecb13220f1f8ab2ce8edd78379bc

SHA1
e27888ba34504f85590f2f44df2ff199ece7fdc4

SHA256
776b12213650b1daac6722c53f1e1b750ac821a708147a71ec1862021e7647cf

SHA512
3bdf1962247fab37d4266f4ddf5f71b2f374e1212f6b66acf543774d8bfc9a41b6913cdaf2ebc886bb8f405722fb4d01b8670fe378fe1f9713a945ec1963d984

Download Submit
\Windows\SysWOW64\geedec.dll

Filesize
294KB

MD5
42c7ecb13220f1f8ab2ce8edd78379bc

SHA1
e27888ba34504f85590f2f44df2ff199ece7fdc4

SHA256
776b12213650b1daac6722c53f1e1b750ac821a708147a71ec1862021e7647cf

SHA512
3bdf1962247fab37d4266f4ddf5f71b2f374e1212f6b66acf543774d8bfc9a41b6913cdaf2ebc886bb8f405722fb4d01b8670fe378fe1f9713a945ec1963d984

Download Submit
memory/784-54-0x0000000075FC1000-0x0000000075FC3000-memory.dmp

Filesize
8KB

Download
memory/784-91-0x0000000010000000-0x000000001004C000-memory.dmp

Filesize
304KB

Download
memory/784-62-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/784-58-0x0000000010001000-0x0000000010016000-memory.dmp

Filesize
84KB

Download
memory/784-56-0x0000000010000000-0x000000001004C000-memory.dmp

Filesize
304KB

Download
memory/784-55-0x0000000010000000-0x000000001004C000-memory.dmp

Filesize
304KB

Download
memory/784-92-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/784-95-0x00000000000F0000-0x00000000000F8000-memory.dmp

Filesize
32KB

Download
memory/784-63-0x0000000000250000-0x0000000000274000-memory.dmp

Filesize
144KB

Download
memory/784-89-0x00000000000A0000-0x00000000000EC000-memory.dmp

Filesize
304KB

Download
memory/784-81-0x00000000000A0000-0x00000000000EC000-memory.dmp

Filesize
304KB

Download
memory/784-83-0x00000000000A1000-0x00000000000B6000-memory.dmp

Filesize
84KB

Download
memory/784-93-0x0000000000250000-0x0000000000274000-memory.dmp

Filesize
144KB

Download
memory/784-90-0x00000000000F0000-0x00000000000F8000-memory.dmp

Filesize
32KB

Download
memory/892-71-0x0000000010000000-0x000000001004C000-memory.dmp

Filesize
304KB

Download
memory/892-88-0x0000000000160000-0x0000000000168000-memory.dmp

Filesize
32KB

Download
memory/892-87-0x0000000010000000-0x000000001004C000-memory.dmp

Filesize
304KB

Download
memory/892-73-0x0000000010000000-0x000000001004C000-memory.dmp

Filesize
304KB

Download
memory/892-72-0x0000000000170000-0x0000000000173000-memory.dmp

Filesize
12KB

Download
memory/892-94-0x0000000000160000-0x0000000000168000-memory.dmp

Filesize
32KB

Download