37c309446f0d20c260dca6767a84fb25e9d93a0488ef5d0505a438f09c8e121b

Analysis

max time kernel
201s
max time network
210s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2023, 02:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c21173ffd09f0d9b4ee2f1ecde02fbe.exe
Size

156KB
MD5

4c21173ffd09f0d9b4ee2f1ecde02fbe
SHA1

232043f5a130c8e06d5d410446bc8250cec7ad3a
SHA256

37c309446f0d20c260dca6767a84fb25e9d93a0488ef5d0505a438f09c8e121b
SHA512

741d93d47cd51453e3278925637647a00b0f3372859f1260328603658c0741482c63d47de99babe29b0375b896e89a64f5214fb6bd473703a8c5dbcc29fa539f
SSDEEP

3072:NsTe4Vcx8jeFvB0Z/I8xSFJKxr2CrIL3NoF0:KmIcvqVuJyr2CML3+i

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	4c21173ffd09f0d9b4ee2f1ecde02fbe.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	geeemon.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation	4c21173ffd09f0d9b4ee2f1ecde02fbe.exe

Executes dropped EXE 1 IoCs

pid	Process
1884	geeemon.exe

Adds Run key to start application 2 TTPs 27 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geeemon = "C:\\Users\\Admin\\geeemon.exe /w"	geeemon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geeemon = "C:\\Users\\Admin\\geeemon.exe /x"	geeemon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geeemon = "C:\\Users\\Admin\\geeemon.exe /t"	geeemon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geeemon = "C:\\Users\\Admin\\geeemon.exe /o"	geeemon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geeemon = "C:\\Users\\Admin\\geeemon.exe /d"	geeemon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geeemon = "C:\\Users\\Admin\\geeemon.exe /e"	geeemon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geeemon = "C:\\Users\\Admin\\geeemon.exe /g"	geeemon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geeemon = "C:\\Users\\Admin\\geeemon.exe /r"	geeemon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geeemon = "C:\\Users\\Admin\\geeemon.exe /n"	geeemon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geeemon = "C:\\Users\\Admin\\geeemon.exe /a"	geeemon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geeemon = "C:\\Users\\Admin\\geeemon.exe /u"	geeemon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geeemon = "C:\\Users\\Admin\\geeemon.exe /q"	geeemon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geeemon = "C:\\Users\\Admin\\geeemon.exe /k"	geeemon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geeemon = "C:\\Users\\Admin\\geeemon.exe /p"	geeemon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geeemon = "C:\\Users\\Admin\\geeemon.exe /z"	geeemon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geeemon = "C:\\Users\\Admin\\geeemon.exe /v"	geeemon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geeemon = "C:\\Users\\Admin\\geeemon.exe /f"	geeemon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geeemon = "C:\\Users\\Admin\\geeemon.exe /i"	geeemon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geeemon = "C:\\Users\\Admin\\geeemon.exe /b"	geeemon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geeemon = "C:\\Users\\Admin\\geeemon.exe /s"	geeemon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geeemon = "C:\\Users\\Admin\\geeemon.exe /l"	geeemon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geeemon = "C:\\Users\\Admin\\geeemon.exe /m"	geeemon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geeemon = "C:\\Users\\Admin\\geeemon.exe /w"	4c21173ffd09f0d9b4ee2f1ecde02fbe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geeemon = "C:\\Users\\Admin\\geeemon.exe /c"	geeemon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geeemon = "C:\\Users\\Admin\\geeemon.exe /j"	geeemon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geeemon = "C:\\Users\\Admin\\geeemon.exe /y"	geeemon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geeemon = "C:\\Users\\Admin\\geeemon.exe /h"	geeemon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4572	4c21173ffd09f0d9b4ee2f1ecde02fbe.exe
4572	4c21173ffd09f0d9b4ee2f1ecde02fbe.exe
1884	geeemon.exe
1884	geeemon.exe
1884	geeemon.exe
1884	geeemon.exe
1884	geeemon.exe
1884	geeemon.exe
1884	geeemon.exe
1884	geeemon.exe
1884	geeemon.exe
1884	geeemon.exe
1884	geeemon.exe
1884	geeemon.exe
1884	geeemon.exe
1884	geeemon.exe
1884	geeemon.exe
1884	geeemon.exe
1884	geeemon.exe
1884	geeemon.exe
1884	geeemon.exe
1884	geeemon.exe
1884	geeemon.exe
1884	geeemon.exe
1884	geeemon.exe
1884	geeemon.exe
1884	geeemon.exe
1884	geeemon.exe
1884	geeemon.exe
1884	geeemon.exe
1884	geeemon.exe
1884	geeemon.exe
1884	geeemon.exe
1884	geeemon.exe
1884	geeemon.exe
1884	geeemon.exe
1884	geeemon.exe
1884	geeemon.exe
1884	geeemon.exe
1884	geeemon.exe
1884	geeemon.exe
1884	geeemon.exe
1884	geeemon.exe
1884	geeemon.exe
1884	geeemon.exe
1884	geeemon.exe
1884	geeemon.exe
1884	geeemon.exe
1884	geeemon.exe
1884	geeemon.exe
1884	geeemon.exe
1884	geeemon.exe
1884	geeemon.exe
1884	geeemon.exe
1884	geeemon.exe
1884	geeemon.exe
1884	geeemon.exe
1884	geeemon.exe
1884	geeemon.exe
1884	geeemon.exe
1884	geeemon.exe
1884	geeemon.exe
1884	geeemon.exe
1884	geeemon.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4572	4c21173ffd09f0d9b4ee2f1ecde02fbe.exe
1884	geeemon.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4572 wrote to memory of 1884	4572	4c21173ffd09f0d9b4ee2f1ecde02fbe.exe	91
PID 4572 wrote to memory of 1884	4572	4c21173ffd09f0d9b4ee2f1ecde02fbe.exe	91
PID 4572 wrote to memory of 1884	4572	4c21173ffd09f0d9b4ee2f1ecde02fbe.exe	91

C:\Users\Admin\AppData\Local\Temp\4c21173ffd09f0d9b4ee2f1ecde02fbe.exe
"C:\Users\Admin\AppData\Local\Temp\4c21173ffd09f0d9b4ee2f1ecde02fbe.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4572
- C:\Users\Admin\geeemon.exe
  "C:\Users\Admin\geeemon.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\geeemon.exe

Filesize
156KB

MD5
c473863edac7e2313d5734f8cbe1c0a4

SHA1
e3dcc36f0ff495805d7dcfd9282fd5b5ddec4053

SHA256
90743f0f369c934fb7a98f37e37d35b614d6f77b2c6e1464eee43c521b0509ee

SHA512
bc4edbd94e02fa3f8c454108def1c9bf0188d328964a7d126dd39d843477b01127a2c6afbd6b6c01a9e61463b57c46e987856d6dbef441e708e9a0fba262bf9c

Download Submit