2d06af59253d1021db39415c2253e6bf3c8d6f47cf4f2703062ddda05691ced5

Analysis

max time kernel
151s
max time network
144s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
13-01-2024 08:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

58697b0ccbca971d58b45ab035f89115.exe
Size

204KB
MD5

58697b0ccbca971d58b45ab035f89115
SHA1

b79d4b1469cd31e6e35754f0355cbec7c5876739
SHA256

2d06af59253d1021db39415c2253e6bf3c8d6f47cf4f2703062ddda05691ced5
SHA512

dc677b3a8984c9a014678b2f7684536712ff9bd8369cd779020979aabca7d86ad91584ad4544c86d7e8fd0d9f74a446ee67a4272a903cde325c4ae686d244174
SSDEEP

3072:N4Rb9GffGv4rPB3QJcaitfdE1611wuUBcQZff8:d42PhKc39di611wcV

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	58697b0ccbca971d58b45ab035f89115.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	geedu.exe

Executes dropped EXE 1 IoCs

pid	Process
2840	geedu.exe

Loads dropped DLL 2 IoCs

pid	Process
1992	58697b0ccbca971d58b45ab035f89115.exe
1992	58697b0ccbca971d58b45ab035f89115.exe

Adds Run key to start application 2 TTPs 27 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\geedu = "C:\\Users\\Admin\\geedu.exe /r"	geedu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\geedu = "C:\\Users\\Admin\\geedu.exe /y"	geedu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\geedu = "C:\\Users\\Admin\\geedu.exe /m"	geedu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\geedu = "C:\\Users\\Admin\\geedu.exe /p"	58697b0ccbca971d58b45ab035f89115.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\geedu = "C:\\Users\\Admin\\geedu.exe /l"	geedu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\geedu = "C:\\Users\\Admin\\geedu.exe /g"	geedu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\geedu = "C:\\Users\\Admin\\geedu.exe /p"	geedu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\geedu = "C:\\Users\\Admin\\geedu.exe /h"	geedu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\geedu = "C:\\Users\\Admin\\geedu.exe /a"	geedu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\geedu = "C:\\Users\\Admin\\geedu.exe /e"	geedu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\geedu = "C:\\Users\\Admin\\geedu.exe /d"	geedu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\geedu = "C:\\Users\\Admin\\geedu.exe /q"	geedu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\geedu = "C:\\Users\\Admin\\geedu.exe /o"	geedu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\geedu = "C:\\Users\\Admin\\geedu.exe /k"	geedu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\geedu = "C:\\Users\\Admin\\geedu.exe /f"	geedu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\geedu = "C:\\Users\\Admin\\geedu.exe /w"	geedu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\geedu = "C:\\Users\\Admin\\geedu.exe /n"	geedu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\geedu = "C:\\Users\\Admin\\geedu.exe /x"	geedu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\geedu = "C:\\Users\\Admin\\geedu.exe /i"	geedu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\geedu = "C:\\Users\\Admin\\geedu.exe /u"	geedu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\geedu = "C:\\Users\\Admin\\geedu.exe /t"	geedu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\geedu = "C:\\Users\\Admin\\geedu.exe /s"	geedu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\geedu = "C:\\Users\\Admin\\geedu.exe /b"	geedu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\geedu = "C:\\Users\\Admin\\geedu.exe /v"	geedu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\geedu = "C:\\Users\\Admin\\geedu.exe /z"	geedu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\geedu = "C:\\Users\\Admin\\geedu.exe /c"	geedu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\geedu = "C:\\Users\\Admin\\geedu.exe /j"	geedu.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1992	58697b0ccbca971d58b45ab035f89115.exe
2840	geedu.exe
2840	geedu.exe
2840	geedu.exe
2840	geedu.exe
2840	geedu.exe
2840	geedu.exe
2840	geedu.exe
2840	geedu.exe
2840	geedu.exe
2840	geedu.exe
2840	geedu.exe
2840	geedu.exe
2840	geedu.exe
2840	geedu.exe
2840	geedu.exe
2840	geedu.exe
2840	geedu.exe
2840	geedu.exe
2840	geedu.exe
2840	geedu.exe
2840	geedu.exe
2840	geedu.exe
2840	geedu.exe
2840	geedu.exe
2840	geedu.exe
2840	geedu.exe
2840	geedu.exe
2840	geedu.exe
2840	geedu.exe
2840	geedu.exe
2840	geedu.exe
2840	geedu.exe
2840	geedu.exe
2840	geedu.exe
2840	geedu.exe
2840	geedu.exe
2840	geedu.exe
2840	geedu.exe
2840	geedu.exe
2840	geedu.exe
2840	geedu.exe
2840	geedu.exe
2840	geedu.exe
2840	geedu.exe
2840	geedu.exe
2840	geedu.exe
2840	geedu.exe
2840	geedu.exe
2840	geedu.exe
2840	geedu.exe
2840	geedu.exe
2840	geedu.exe
2840	geedu.exe
2840	geedu.exe
2840	geedu.exe
2840	geedu.exe
2840	geedu.exe
2840	geedu.exe
2840	geedu.exe
2840	geedu.exe
2840	geedu.exe
2840	geedu.exe
2840	geedu.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1992	58697b0ccbca971d58b45ab035f89115.exe
2840	geedu.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 2840	1992	58697b0ccbca971d58b45ab035f89115.exe	28
PID 1992 wrote to memory of 2840	1992	58697b0ccbca971d58b45ab035f89115.exe	28
PID 1992 wrote to memory of 2840	1992	58697b0ccbca971d58b45ab035f89115.exe	28
PID 1992 wrote to memory of 2840	1992	58697b0ccbca971d58b45ab035f89115.exe	28

C:\Users\Admin\AppData\Local\Temp\58697b0ccbca971d58b45ab035f89115.exe
"C:\Users\Admin\AppData\Local\Temp\58697b0ccbca971d58b45ab035f89115.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Users\Admin\geedu.exe
  "C:\Users\Admin\geedu.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\geedu.exe

Filesize
204KB

MD5
41aed2aa8a1d54383360b4285786a3f5

SHA1
07153e0bd205d8b3e082866ae560e74b31dfe8c2

SHA256
3605723727d42516b98f89e27d347e1f22b32a8574c22e11c0d260e26079901e

SHA512
b361d8761a75f105cf7b1d79bc3b7396179296a75650bcad78de7a63745a9dcfa6b04986b064a7c549b4f74f43918c9c90742ced194f96e0b9755635e599963d

Download Submit