Analysis
-
max time kernel
122s -
max time network
133s -
platform
windows10-1703_x64 -
resource
win10-20220901-en -
resource tags
-
submitted
04-12-2022 06:47
General
-
Target
geometrydashmenu_SUnBLS4y.exe
-
Size
4.4MB
-
MD5
991903b93446afde2fdc398a5476d8d3
-
SHA1
a79a5f5b137f65a2f3f0563576016c2d5c263549
-
SHA256
9d470a00d89f4fe101085e3ed877a1d6e6da272a58356cbd92d3f9521ca7670d
-
SHA512
890e8b0e14a308ce45b5a87a3c924ccdb40f8e8ed93bb2420c39e1b62bc81511af0ac15b8e8807aafd9cb3e085633c90f9d7b40fdcf0f2189e4a9d40f3b1fac2
-
SSDEEP
98304:MGrYkNnl4tpiVYCdWaG5Ym/V8BWYYnQXy7M81O3w8oXy15w:MUnFlqiV1d+/8sQiwKOgRXCO
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in Program Files directory 14 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 23 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\geometrydashmenu_SUnBLS4y.exe"C:\Users\Admin\AppData\Local\Temp\geometrydashmenu_SUnBLS4y.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-C03P3.tmp\geometrydashmenu_SUnBLS4y.tmp"C:\Users\Admin\AppData\Local\Temp\is-C03P3.tmp\geometrydashmenu_SUnBLS4y.tmp" /SL5="$A01DE,4351608,319488,C:\Users\Admin\AppData\Local\Temp\geometrydashmenu_SUnBLS4y.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Codessentials\Yadjb\Yadjb.exe"C:\Program Files (x86)\Codessentials\Yadjb\Yadjb.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 7084⤵
- Program crash
-
C:\Program Files (x86)\Codessentials\Yadjb\Yadjb.exe"C:\Program Files (x86)\Codessentials\Yadjb\Yadjb.exe" 9f7f74ec9226ecf884d928c07d48c2663⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 8444⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 8484⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 8884⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 9884⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 9764⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 10084⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 10564⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 11924⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 12004⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 11804⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 12324⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 15924⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 16484⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 16164⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 16364⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 17084⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 17724⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 18604⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 18204⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 17244⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 18844⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 18164⤵
- Program crash
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /F /TN "Yadjb 99"3⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Documents\geometrydashmenu0.3.apk_id22722987.exe"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Documents\geometrydashmenu0.3.apk_id22722987.exe"C:\Users\Admin\Documents\geometrydashmenu0.3.apk_id22722987.exe"1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Codessentials\Yadjb\Yadjb.exeFilesize
6.4MB
MD5b4aff7b7161a946abc2253d0285c22b1
SHA194b01db5b1f43691d84b229db3224c4b7d1071f8
SHA256b70888faf5344c333ea634bc6f4d8bbc04211a6f3d5211dd79af60518ddfbd93
SHA512fcc645f9e11e11bab52aeae5f9657b81ee32c55a53dcdf2379494b9134ece7dcd970d0efbd86235acbdef23c1b33cadf5655641dd62fd1d8f22ab39e48c7df22
-
C:\Program Files (x86)\Codessentials\Yadjb\Yadjb.exeFilesize
6.4MB
MD5b4aff7b7161a946abc2253d0285c22b1
SHA194b01db5b1f43691d84b229db3224c4b7d1071f8
SHA256b70888faf5344c333ea634bc6f4d8bbc04211a6f3d5211dd79af60518ddfbd93
SHA512fcc645f9e11e11bab52aeae5f9657b81ee32c55a53dcdf2379494b9134ece7dcd970d0efbd86235acbdef23c1b33cadf5655641dd62fd1d8f22ab39e48c7df22
-
C:\Users\Admin\AppData\Local\Temp\is-C03P3.tmp\geometrydashmenu_SUnBLS4y.tmpFilesize
955KB
MD5bb602d1b395aa4558a3a2345b4400c7d
SHA10609c12adab7f5d3d7459359cda0cec6dd11b60e
SHA2561a9fd2e11a6992c74d274ce7a248c1dc8d6af1aea933e25596fa07ffff8cb4cd
SHA5126d206bdb0c8020467abf4be9201ebe941e04c32a124df694ce41c3180cb5a0daac60bda06bc5d32debcdfccc793f12787f6e348e45840c9d683b1ead238be6f5
-
C:\Users\Admin\AppData\Local\Temp\is-C03P3.tmp\geometrydashmenu_SUnBLS4y.tmpFilesize
955KB
MD5bb602d1b395aa4558a3a2345b4400c7d
SHA10609c12adab7f5d3d7459359cda0cec6dd11b60e
SHA2561a9fd2e11a6992c74d274ce7a248c1dc8d6af1aea933e25596fa07ffff8cb4cd
SHA5126d206bdb0c8020467abf4be9201ebe941e04c32a124df694ce41c3180cb5a0daac60bda06bc5d32debcdfccc793f12787f6e348e45840c9d683b1ead238be6f5
-
C:\Users\Admin\Documents\geometrydashmenu0.3.apk_id22722987.exeFilesize
1.3MB
MD5520b5aedc6da20023cfae3ff6b6998c3
SHA16c40cb2643acc1155937e48a5bdfc41d7309d629
SHA25621899e226502fe63b066c51d76869c4ec5dbd03570551cea657d1dd5c97e7070
SHA512714dedbb46f16ec64eb0883462635cfa8cbb870b8bc05a419ebe272f82997f71e9bdb1adcdedd62fda7a1032cffca2b8ec93d2fdf4b5f3fa8dedbe7274372c6d
-
C:\Users\Admin\Documents\geometrydashmenu0.3.apk_id22722987.exeFilesize
1.3MB
MD5520b5aedc6da20023cfae3ff6b6998c3
SHA16c40cb2643acc1155937e48a5bdfc41d7309d629
SHA25621899e226502fe63b066c51d76869c4ec5dbd03570551cea657d1dd5c97e7070
SHA512714dedbb46f16ec64eb0883462635cfa8cbb870b8bc05a419ebe272f82997f71e9bdb1adcdedd62fda7a1032cffca2b8ec93d2fdf4b5f3fa8dedbe7274372c6d
-
\Users\Admin\AppData\Local\Temp\is-42EFO.tmp\_isetup\_iscrypt.dllFilesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
memory/1316-218-0x0000000000000000-mapping.dmp
-
memory/1316-269-0x0000000000400000-0x0000000001859000-memory.dmpFilesize
20.3MB
-
memory/1316-283-0x0000000000400000-0x0000000001859000-memory.dmpFilesize
20.3MB
-
memory/2656-146-0x0000000077560000-0x00000000776EE000-memory.dmpFilesize
1.6MB
-
memory/2656-152-0x0000000077560000-0x00000000776EE000-memory.dmpFilesize
1.6MB
-
memory/2656-132-0x0000000077560000-0x00000000776EE000-memory.dmpFilesize
1.6MB
-
memory/2656-133-0x0000000077560000-0x00000000776EE000-memory.dmpFilesize
1.6MB
-
memory/2656-134-0x0000000077560000-0x00000000776EE000-memory.dmpFilesize
1.6MB
-
memory/2656-135-0x0000000077560000-0x00000000776EE000-memory.dmpFilesize
1.6MB
-
memory/2656-136-0x0000000077560000-0x00000000776EE000-memory.dmpFilesize
1.6MB
-
memory/2656-137-0x0000000077560000-0x00000000776EE000-memory.dmpFilesize
1.6MB
-
memory/2656-138-0x0000000077560000-0x00000000776EE000-memory.dmpFilesize
1.6MB
-
memory/2656-139-0x0000000077560000-0x00000000776EE000-memory.dmpFilesize
1.6MB
-
memory/2656-140-0x0000000077560000-0x00000000776EE000-memory.dmpFilesize
1.6MB
-
memory/2656-141-0x0000000077560000-0x00000000776EE000-memory.dmpFilesize
1.6MB
-
memory/2656-142-0x0000000077560000-0x00000000776EE000-memory.dmpFilesize
1.6MB
-
memory/2656-143-0x0000000077560000-0x00000000776EE000-memory.dmpFilesize
1.6MB
-
memory/2656-144-0x0000000077560000-0x00000000776EE000-memory.dmpFilesize
1.6MB
-
memory/2656-145-0x0000000077560000-0x00000000776EE000-memory.dmpFilesize
1.6MB
-
memory/2656-130-0x0000000077560000-0x00000000776EE000-memory.dmpFilesize
1.6MB
-
memory/2656-147-0x0000000077560000-0x00000000776EE000-memory.dmpFilesize
1.6MB
-
memory/2656-148-0x0000000077560000-0x00000000776EE000-memory.dmpFilesize
1.6MB
-
memory/2656-149-0x0000000077560000-0x00000000776EE000-memory.dmpFilesize
1.6MB
-
memory/2656-150-0x0000000077560000-0x00000000776EE000-memory.dmpFilesize
1.6MB
-
memory/2656-131-0x0000000077560000-0x00000000776EE000-memory.dmpFilesize
1.6MB
-
memory/2656-151-0x0000000077560000-0x00000000776EE000-memory.dmpFilesize
1.6MB
-
memory/2656-153-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/2656-155-0x0000000077560000-0x00000000776EE000-memory.dmpFilesize
1.6MB
-
memory/2656-156-0x0000000077560000-0x00000000776EE000-memory.dmpFilesize
1.6MB
-
memory/2656-129-0x0000000077560000-0x00000000776EE000-memory.dmpFilesize
1.6MB
-
memory/2656-121-0x0000000077560000-0x00000000776EE000-memory.dmpFilesize
1.6MB
-
memory/2656-122-0x0000000077560000-0x00000000776EE000-memory.dmpFilesize
1.6MB
-
memory/2656-123-0x0000000077560000-0x00000000776EE000-memory.dmpFilesize
1.6MB
-
memory/2656-128-0x0000000077560000-0x00000000776EE000-memory.dmpFilesize
1.6MB
-
memory/2656-120-0x0000000077560000-0x00000000776EE000-memory.dmpFilesize
1.6MB
-
memory/2656-169-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/2656-127-0x0000000077560000-0x00000000776EE000-memory.dmpFilesize
1.6MB
-
memory/2656-126-0x0000000077560000-0x00000000776EE000-memory.dmpFilesize
1.6MB
-
memory/2656-376-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/2656-125-0x0000000077560000-0x00000000776EE000-memory.dmpFilesize
1.6MB
-
memory/2656-124-0x0000000077560000-0x00000000776EE000-memory.dmpFilesize
1.6MB
-
memory/2656-157-0x0000000077560000-0x00000000776EE000-memory.dmpFilesize
1.6MB
-
memory/3704-430-0x0000000000E10000-0x00000000012A5000-memory.dmpFilesize
4.6MB
-
memory/3704-431-0x00000000006B0000-0x00000000006B3000-memory.dmpFilesize
12KB
-
memory/3704-499-0x00000000006B0000-0x00000000006B3000-memory.dmpFilesize
12KB
-
memory/4220-284-0x0000000000000000-mapping.dmp
-
memory/4484-166-0x0000000077560000-0x00000000776EE000-memory.dmpFilesize
1.6MB
-
memory/4484-175-0x0000000077560000-0x00000000776EE000-memory.dmpFilesize
1.6MB
-
memory/4484-176-0x0000000077560000-0x00000000776EE000-memory.dmpFilesize
1.6MB
-
memory/4484-178-0x0000000077560000-0x00000000776EE000-memory.dmpFilesize
1.6MB
-
memory/4484-179-0x0000000077560000-0x00000000776EE000-memory.dmpFilesize
1.6MB
-
memory/4484-181-0x0000000077560000-0x00000000776EE000-memory.dmpFilesize
1.6MB
-
memory/4484-183-0x0000000077560000-0x00000000776EE000-memory.dmpFilesize
1.6MB
-
memory/4484-185-0x0000000077560000-0x00000000776EE000-memory.dmpFilesize
1.6MB
-
memory/4484-186-0x0000000077560000-0x00000000776EE000-memory.dmpFilesize
1.6MB
-
memory/4484-184-0x0000000077560000-0x00000000776EE000-memory.dmpFilesize
1.6MB
-
memory/4484-182-0x0000000077560000-0x00000000776EE000-memory.dmpFilesize
1.6MB
-
memory/4484-180-0x0000000077560000-0x00000000776EE000-memory.dmpFilesize
1.6MB
-
memory/4484-172-0x0000000077560000-0x00000000776EE000-memory.dmpFilesize
1.6MB
-
memory/4484-187-0x0000000077560000-0x00000000776EE000-memory.dmpFilesize
1.6MB
-
memory/4484-174-0x0000000077560000-0x00000000776EE000-memory.dmpFilesize
1.6MB
-
memory/4484-177-0x0000000077560000-0x00000000776EE000-memory.dmpFilesize
1.6MB
-
memory/4484-173-0x0000000077560000-0x00000000776EE000-memory.dmpFilesize
1.6MB
-
memory/4484-171-0x0000000077560000-0x00000000776EE000-memory.dmpFilesize
1.6MB
-
memory/4484-170-0x0000000077560000-0x00000000776EE000-memory.dmpFilesize
1.6MB
-
memory/4484-158-0x0000000000000000-mapping.dmp
-
memory/4484-161-0x0000000077560000-0x00000000776EE000-memory.dmpFilesize
1.6MB
-
memory/4484-160-0x0000000077560000-0x00000000776EE000-memory.dmpFilesize
1.6MB
-
memory/4484-162-0x0000000077560000-0x00000000776EE000-memory.dmpFilesize
1.6MB
-
memory/4484-163-0x0000000077560000-0x00000000776EE000-memory.dmpFilesize
1.6MB
-
memory/4484-164-0x0000000077560000-0x00000000776EE000-memory.dmpFilesize
1.6MB
-
memory/4484-165-0x0000000077560000-0x00000000776EE000-memory.dmpFilesize
1.6MB
-
memory/4484-168-0x0000000077560000-0x00000000776EE000-memory.dmpFilesize
1.6MB
-
memory/4856-400-0x0000000000400000-0x0000000001859000-memory.dmpFilesize
20.3MB
-
memory/4856-399-0x0000000000400000-0x0000000001859000-memory.dmpFilesize
20.3MB
-
memory/4856-372-0x0000000000400000-0x0000000001859000-memory.dmpFilesize
20.3MB
-
memory/4856-314-0x0000000000400000-0x0000000001859000-memory.dmpFilesize
20.3MB
-
memory/4856-285-0x0000000000000000-mapping.dmp