b46198dc20027d23ca3aeef857eff2cc59c3e3202c422d68cecc431f3003a42d

Analysis

max time kernel
166s
max time network
53s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07/12/2022, 03:23 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b46198dc20027d23ca3aeef857eff2cc59c3e3202c422d68cecc431f3003a42d.exe
Size

208KB
MD5

4a913c8aa0df7e39c6822b48d26e6e10
SHA1

16ecc1a3dfd9830270c069ccd3e230208e678f23
SHA256

b46198dc20027d23ca3aeef857eff2cc59c3e3202c422d68cecc431f3003a42d
SHA512

3b8b4afbd15de133cf1c8473a15bb6da46d851c2fd304e3b5db149ecff1f844089f49e3d5d882ae0384c119b08038fe9071d919426e9bbb3e41afd5a5d2e5efc
SSDEEP

3072:oFtCD3EAkPRCSk3YRNCgmm/r4o+1EqCzfA1WmdH83qZ0oREdxuDwZe/rPXUv9Ut2:QtiCRCm/r4JOmN83GuuuSXUWGx

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	b46198dc20027d23ca3aeef857eff2cc59c3e3202c422d68cecc431f3003a42d.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	geiafek.exe

Executes dropped EXE 1 IoCs

pid	Process
2044	geiafek.exe

Loads dropped DLL 2 IoCs

pid	Process
552	b46198dc20027d23ca3aeef857eff2cc59c3e3202c422d68cecc431f3003a42d.exe
552	b46198dc20027d23ca3aeef857eff2cc59c3e3202c422d68cecc431f3003a42d.exe

Adds Run key to start application 2 TTPs 29 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\geiafek = "C:\\Users\\Admin\\geiafek.exe /a"	geiafek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\geiafek = "C:\\Users\\Admin\\geiafek.exe /u"	geiafek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\geiafek = "C:\\Users\\Admin\\geiafek.exe /m"	geiafek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\geiafek = "C:\\Users\\Admin\\geiafek.exe /h"	geiafek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\geiafek = "C:\\Users\\Admin\\geiafek.exe /n"	geiafek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\geiafek = "C:\\Users\\Admin\\geiafek.exe /r"	geiafek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\geiafek = "C:\\Users\\Admin\\geiafek.exe /k"	geiafek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\geiafek = "C:\\Users\\Admin\\geiafek.exe /e"	geiafek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\geiafek = "C:\\Users\\Admin\\geiafek.exe /l"	geiafek.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\	b46198dc20027d23ca3aeef857eff2cc59c3e3202c422d68cecc431f3003a42d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\geiafek = "C:\\Users\\Admin\\geiafek.exe /o"	geiafek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\geiafek = "C:\\Users\\Admin\\geiafek.exe /j"	geiafek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\geiafek = "C:\\Users\\Admin\\geiafek.exe /i"	geiafek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\geiafek = "C:\\Users\\Admin\\geiafek.exe /y"	geiafek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\geiafek = "C:\\Users\\Admin\\geiafek.exe /q"	b46198dc20027d23ca3aeef857eff2cc59c3e3202c422d68cecc431f3003a42d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\geiafek = "C:\\Users\\Admin\\geiafek.exe /t"	geiafek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\geiafek = "C:\\Users\\Admin\\geiafek.exe /v"	geiafek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\geiafek = "C:\\Users\\Admin\\geiafek.exe /g"	geiafek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\geiafek = "C:\\Users\\Admin\\geiafek.exe /c"	geiafek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\geiafek = "C:\\Users\\Admin\\geiafek.exe /x"	geiafek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\geiafek = "C:\\Users\\Admin\\geiafek.exe /b"	geiafek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\geiafek = "C:\\Users\\Admin\\geiafek.exe /q"	geiafek.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\	geiafek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\geiafek = "C:\\Users\\Admin\\geiafek.exe /f"	geiafek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\geiafek = "C:\\Users\\Admin\\geiafek.exe /d"	geiafek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\geiafek = "C:\\Users\\Admin\\geiafek.exe /z"	geiafek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\geiafek = "C:\\Users\\Admin\\geiafek.exe /p"	geiafek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\geiafek = "C:\\Users\\Admin\\geiafek.exe /s"	geiafek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\geiafek = "C:\\Users\\Admin\\geiafek.exe /w"	geiafek.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
552	b46198dc20027d23ca3aeef857eff2cc59c3e3202c422d68cecc431f3003a42d.exe
2044	geiafek.exe
2044	geiafek.exe
2044	geiafek.exe
2044	geiafek.exe
2044	geiafek.exe
2044	geiafek.exe
2044	geiafek.exe
2044	geiafek.exe
2044	geiafek.exe
2044	geiafek.exe
2044	geiafek.exe
2044	geiafek.exe
2044	geiafek.exe
2044	geiafek.exe
2044	geiafek.exe
2044	geiafek.exe
2044	geiafek.exe
2044	geiafek.exe
2044	geiafek.exe
2044	geiafek.exe
2044	geiafek.exe
2044	geiafek.exe
2044	geiafek.exe
2044	geiafek.exe
2044	geiafek.exe
2044	geiafek.exe
2044	geiafek.exe
2044	geiafek.exe
2044	geiafek.exe
2044	geiafek.exe
2044	geiafek.exe
2044	geiafek.exe
2044	geiafek.exe
2044	geiafek.exe
2044	geiafek.exe
2044	geiafek.exe
2044	geiafek.exe
2044	geiafek.exe
2044	geiafek.exe
2044	geiafek.exe
2044	geiafek.exe
2044	geiafek.exe
2044	geiafek.exe
2044	geiafek.exe
2044	geiafek.exe
2044	geiafek.exe
2044	geiafek.exe
2044	geiafek.exe
2044	geiafek.exe
2044	geiafek.exe
2044	geiafek.exe
2044	geiafek.exe
2044	geiafek.exe
2044	geiafek.exe
2044	geiafek.exe
2044	geiafek.exe
2044	geiafek.exe
2044	geiafek.exe
2044	geiafek.exe
2044	geiafek.exe
2044	geiafek.exe
2044	geiafek.exe
2044	geiafek.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
552	b46198dc20027d23ca3aeef857eff2cc59c3e3202c422d68cecc431f3003a42d.exe
2044	geiafek.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 552 wrote to memory of 2044	552	b46198dc20027d23ca3aeef857eff2cc59c3e3202c422d68cecc431f3003a42d.exe	27
PID 552 wrote to memory of 2044	552	b46198dc20027d23ca3aeef857eff2cc59c3e3202c422d68cecc431f3003a42d.exe	27
PID 552 wrote to memory of 2044	552	b46198dc20027d23ca3aeef857eff2cc59c3e3202c422d68cecc431f3003a42d.exe	27
PID 552 wrote to memory of 2044	552	b46198dc20027d23ca3aeef857eff2cc59c3e3202c422d68cecc431f3003a42d.exe	27

C:\Users\Admin\AppData\Local\Temp\b46198dc20027d23ca3aeef857eff2cc59c3e3202c422d68cecc431f3003a42d.exe
"C:\Users\Admin\AppData\Local\Temp\b46198dc20027d23ca3aeef857eff2cc59c3e3202c422d68cecc431f3003a42d.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:552
- C:\Users\Admin\geiafek.exe
  "C:\Users\Admin\geiafek.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2044

Network

DNS

ns1.chopzones.com

b46198dc20027d23ca3aeef857eff2cc59c3e3202c422d68cecc431f3003a42d.exe

Remote address:

8.8.8.8:53

Request

ns1.chopzones.com

IN A

Response

ns1.chopzones.com

IN A

91.195.240.12

91.195.240.12:8000

ns1.chopzones.com

b46198dc20027d23ca3aeef857eff2cc59c3e3202c422d68cecc431f3003a42d.exe

152 B
3

8.8.8.8:53

ns1.chopzones.com

dns

b46198dc20027d23ca3aeef857eff2cc59c3e3202c422d68cecc431f3003a42d.exe

63 B
79 B
1
1

DNS Request

ns1.chopzones.com

DNS Response

91.195.240.12

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\geiafek.exe

Filesize
208KB

MD5
aac6c1d7d9a3af1ec30c2500b24ef235

SHA1
e18320bdfe5852f0dc5ee3dca296c95f49ff43cb

SHA256
3dbcf74e81b6cb26c40dd39f16f9df62281f04a3723018a2135109eada363b21

SHA512
cca6dbd1c609b1b3ec511639fe733f56a0201914c40a5085433c42fe3974b932c3ba95d92f043d44cf687a0395a500c82d33849593fc4374ac853846b1f1845a

Download Submit
C:\Users\Admin\geiafek.exe

Filesize
208KB

MD5
aac6c1d7d9a3af1ec30c2500b24ef235

SHA1
e18320bdfe5852f0dc5ee3dca296c95f49ff43cb

SHA256
3dbcf74e81b6cb26c40dd39f16f9df62281f04a3723018a2135109eada363b21

SHA512
cca6dbd1c609b1b3ec511639fe733f56a0201914c40a5085433c42fe3974b932c3ba95d92f043d44cf687a0395a500c82d33849593fc4374ac853846b1f1845a

Download Submit
\Users\Admin\geiafek.exe

Filesize
208KB

MD5
aac6c1d7d9a3af1ec30c2500b24ef235

SHA1
e18320bdfe5852f0dc5ee3dca296c95f49ff43cb

SHA256
3dbcf74e81b6cb26c40dd39f16f9df62281f04a3723018a2135109eada363b21

SHA512
cca6dbd1c609b1b3ec511639fe733f56a0201914c40a5085433c42fe3974b932c3ba95d92f043d44cf687a0395a500c82d33849593fc4374ac853846b1f1845a

Download Submit
\Users\Admin\geiafek.exe

Filesize
208KB

MD5
aac6c1d7d9a3af1ec30c2500b24ef235

SHA1
e18320bdfe5852f0dc5ee3dca296c95f49ff43cb

SHA256
3dbcf74e81b6cb26c40dd39f16f9df62281f04a3723018a2135109eada363b21

SHA512
cca6dbd1c609b1b3ec511639fe733f56a0201914c40a5085433c42fe3974b932c3ba95d92f043d44cf687a0395a500c82d33849593fc4374ac853846b1f1845a

Download Submit
memory/552-56-0x0000000075131000-0x0000000075133000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Response

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.