Analysis
-
max time kernel
201s -
max time network
210s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2023, 02:17
Static task
static1
Behavioral task
behavioral1
Sample
4c21173ffd09f0d9b4ee2f1ecde02fbe.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
4c21173ffd09f0d9b4ee2f1ecde02fbe.exe
Resource
win10v2004-20231215-en
General
-
Target
4c21173ffd09f0d9b4ee2f1ecde02fbe.exe
-
Size
156KB
-
MD5
4c21173ffd09f0d9b4ee2f1ecde02fbe
-
SHA1
232043f5a130c8e06d5d410446bc8250cec7ad3a
-
SHA256
37c309446f0d20c260dca6767a84fb25e9d93a0488ef5d0505a438f09c8e121b
-
SHA512
741d93d47cd51453e3278925637647a00b0f3372859f1260328603658c0741482c63d47de99babe29b0375b896e89a64f5214fb6bd473703a8c5dbcc29fa539f
-
SSDEEP
3072:NsTe4Vcx8jeFvB0Z/I8xSFJKxr2CrIL3NoF0:KmIcvqVuJyr2CML3+i
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 4c21173ffd09f0d9b4ee2f1ecde02fbe.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" geeemon.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation 4c21173ffd09f0d9b4ee2f1ecde02fbe.exe -
Executes dropped EXE 1 IoCs
pid Process 1884 geeemon.exe -
Adds Run key to start application 2 TTPs 27 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geeemon = "C:\\Users\\Admin\\geeemon.exe /w" geeemon.exe Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geeemon = "C:\\Users\\Admin\\geeemon.exe /x" geeemon.exe Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geeemon = "C:\\Users\\Admin\\geeemon.exe /t" geeemon.exe Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geeemon = "C:\\Users\\Admin\\geeemon.exe /o" geeemon.exe Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geeemon = "C:\\Users\\Admin\\geeemon.exe /d" geeemon.exe Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geeemon = "C:\\Users\\Admin\\geeemon.exe /e" geeemon.exe Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geeemon = "C:\\Users\\Admin\\geeemon.exe /g" geeemon.exe Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geeemon = "C:\\Users\\Admin\\geeemon.exe /r" geeemon.exe Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geeemon = "C:\\Users\\Admin\\geeemon.exe /n" geeemon.exe Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geeemon = "C:\\Users\\Admin\\geeemon.exe /a" geeemon.exe Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geeemon = "C:\\Users\\Admin\\geeemon.exe /u" geeemon.exe Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geeemon = "C:\\Users\\Admin\\geeemon.exe /q" geeemon.exe Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geeemon = "C:\\Users\\Admin\\geeemon.exe /k" geeemon.exe Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geeemon = "C:\\Users\\Admin\\geeemon.exe /p" geeemon.exe Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geeemon = "C:\\Users\\Admin\\geeemon.exe /z" geeemon.exe Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geeemon = "C:\\Users\\Admin\\geeemon.exe /v" geeemon.exe Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geeemon = "C:\\Users\\Admin\\geeemon.exe /f" geeemon.exe Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geeemon = "C:\\Users\\Admin\\geeemon.exe /i" geeemon.exe Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geeemon = "C:\\Users\\Admin\\geeemon.exe /b" geeemon.exe Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geeemon = "C:\\Users\\Admin\\geeemon.exe /s" geeemon.exe Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geeemon = "C:\\Users\\Admin\\geeemon.exe /l" geeemon.exe Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geeemon = "C:\\Users\\Admin\\geeemon.exe /m" geeemon.exe Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geeemon = "C:\\Users\\Admin\\geeemon.exe /w" 4c21173ffd09f0d9b4ee2f1ecde02fbe.exe Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geeemon = "C:\\Users\\Admin\\geeemon.exe /c" geeemon.exe Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geeemon = "C:\\Users\\Admin\\geeemon.exe /j" geeemon.exe Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geeemon = "C:\\Users\\Admin\\geeemon.exe /y" geeemon.exe Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geeemon = "C:\\Users\\Admin\\geeemon.exe /h" geeemon.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4572 4c21173ffd09f0d9b4ee2f1ecde02fbe.exe 4572 4c21173ffd09f0d9b4ee2f1ecde02fbe.exe 1884 geeemon.exe 1884 geeemon.exe 1884 geeemon.exe 1884 geeemon.exe 1884 geeemon.exe 1884 geeemon.exe 1884 geeemon.exe 1884 geeemon.exe 1884 geeemon.exe 1884 geeemon.exe 1884 geeemon.exe 1884 geeemon.exe 1884 geeemon.exe 1884 geeemon.exe 1884 geeemon.exe 1884 geeemon.exe 1884 geeemon.exe 1884 geeemon.exe 1884 geeemon.exe 1884 geeemon.exe 1884 geeemon.exe 1884 geeemon.exe 1884 geeemon.exe 1884 geeemon.exe 1884 geeemon.exe 1884 geeemon.exe 1884 geeemon.exe 1884 geeemon.exe 1884 geeemon.exe 1884 geeemon.exe 1884 geeemon.exe 1884 geeemon.exe 1884 geeemon.exe 1884 geeemon.exe 1884 geeemon.exe 1884 geeemon.exe 1884 geeemon.exe 1884 geeemon.exe 1884 geeemon.exe 1884 geeemon.exe 1884 geeemon.exe 1884 geeemon.exe 1884 geeemon.exe 1884 geeemon.exe 1884 geeemon.exe 1884 geeemon.exe 1884 geeemon.exe 1884 geeemon.exe 1884 geeemon.exe 1884 geeemon.exe 1884 geeemon.exe 1884 geeemon.exe 1884 geeemon.exe 1884 geeemon.exe 1884 geeemon.exe 1884 geeemon.exe 1884 geeemon.exe 1884 geeemon.exe 1884 geeemon.exe 1884 geeemon.exe 1884 geeemon.exe 1884 geeemon.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4572 4c21173ffd09f0d9b4ee2f1ecde02fbe.exe 1884 geeemon.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4572 wrote to memory of 1884 4572 4c21173ffd09f0d9b4ee2f1ecde02fbe.exe 91 PID 4572 wrote to memory of 1884 4572 4c21173ffd09f0d9b4ee2f1ecde02fbe.exe 91 PID 4572 wrote to memory of 1884 4572 4c21173ffd09f0d9b4ee2f1ecde02fbe.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\4c21173ffd09f0d9b4ee2f1ecde02fbe.exe"C:\Users\Admin\AppData\Local\Temp\4c21173ffd09f0d9b4ee2f1ecde02fbe.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Users\Admin\geeemon.exe"C:\Users\Admin\geeemon.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1884
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
156KB
MD5c473863edac7e2313d5734f8cbe1c0a4
SHA1e3dcc36f0ff495805d7dcfd9282fd5b5ddec4053
SHA25690743f0f369c934fb7a98f37e37d35b614d6f77b2c6e1464eee43c521b0509ee
SHA512bc4edbd94e02fa3f8c454108def1c9bf0188d328964a7d126dd39d843477b01127a2c6afbd6b6c01a9e61463b57c46e987856d6dbef441e708e9a0fba262bf9c