3526c74a22a6a7ff285bddc4a055d22e443bd2d9ceb47aa7bc20240256084787

Analysis

max time kernel
1800s
max time network
1568s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
26-03-2024 13:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c28384feb8d622682c10e81da44448c226638a7fed9b531ab7a5f652c55b3e1a.exe
Size

248KB
MD5

d3e517e198379ed5b8faf580bef47961
SHA1

5daf25a32e1a3f8dbbf14d488487c0175d266d60
SHA256

c28384feb8d622682c10e81da44448c226638a7fed9b531ab7a5f652c55b3e1a
SHA512

3902b8f850c5d1242840f7c61d38b677a7d98356097c939dd2f06ed9d18f1391784775ca213b1d3cf5a1e661f2d79a14f250bbfb8202124646ac89e451b0d162
SSDEEP

6144:5Qscj0zoT9nfNARb+m4hOZTIpZh3usSoSVGM:yQzoT9fNAcmeV4xoS

Score

10^/10

persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

c28384feb8d622682c10e81da44448c226638a7fed9b531ab7a5f652c55b3e1a.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\ProgramData\\gema\\gema.exe,userinit.exe,"	c28384feb8d622682c10e81da44448c226638a7fed9b531ab7a5f652c55b3e1a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Users\\Admin\\AppData\\Roaming\\gema\\gema.exe,Explorer.exe,"	c28384feb8d622682c10e81da44448c226638a7fed9b531ab7a5f652c55b3e1a.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral24/memory/2728-0-0x0000000000400000-0x00000000004AB000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\gema\gema.exe	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

c28384feb8d622682c10e81da44448c226638a7fed9b531ab7a5f652c55b3e1a.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gema. = "C:\\ProgramData\\gema\\gema.exe"	c28384feb8d622682c10e81da44448c226638a7fed9b531ab7a5f652c55b3e1a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\gema = "C:\\Users\\Admin\\AppData\\Roaming\\gema\\gema.exe"	c28384feb8d622682c10e81da44448c226638a7fed9b531ab7a5f652c55b3e1a.exe

Drops file in System32 directory 2 IoCs

Processes:

c28384feb8d622682c10e81da44448c226638a7fed9b531ab7a5f652c55b3e1a.exe

description	ioc	process
File opened for modification	C:\Windows\System32\gema.exe	c28384feb8d622682c10e81da44448c226638a7fed9b531ab7a5f652c55b3e1a.exe
File created	C:\Windows\System32\gema.exe	c28384feb8d622682c10e81da44448c226638a7fed9b531ab7a5f652c55b3e1a.exe

Drops file in Windows directory 1 IoCs

Processes:

c28384feb8d622682c10e81da44448c226638a7fed9b531ab7a5f652c55b3e1a.exe

description ioc process

File opened for modification C:\Windows\win.ini c28384feb8d622682c10e81da44448c226638a7fed9b531ab7a5f652c55b3e1a.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\win.ini	c28384feb8d622682c10e81da44448c226638a7fed9b531ab7a5f652c55b3e1a.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

c28384feb8d622682c10e81da44448c226638a7fed9b531ab7a5f652c55b3e1a.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	c28384feb8d622682c10e81da44448c226638a7fed9b531ab7a5f652c55b3e1a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	c28384feb8d622682c10e81da44448c226638a7fed9b531ab7a5f652c55b3e1a.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	c28384feb8d622682c10e81da44448c226638a7fed9b531ab7a5f652c55b3e1a.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

c28384feb8d622682c10e81da44448c226638a7fed9b531ab7a5f652c55b3e1a.exe

pid	process
2728	c28384feb8d622682c10e81da44448c226638a7fed9b531ab7a5f652c55b3e1a.exe
2728	c28384feb8d622682c10e81da44448c226638a7fed9b531ab7a5f652c55b3e1a.exe
2728	c28384feb8d622682c10e81da44448c226638a7fed9b531ab7a5f652c55b3e1a.exe
2728	c28384feb8d622682c10e81da44448c226638a7fed9b531ab7a5f652c55b3e1a.exe
2728	c28384feb8d622682c10e81da44448c226638a7fed9b531ab7a5f652c55b3e1a.exe
2728	c28384feb8d622682c10e81da44448c226638a7fed9b531ab7a5f652c55b3e1a.exe
2728	c28384feb8d622682c10e81da44448c226638a7fed9b531ab7a5f652c55b3e1a.exe
2728	c28384feb8d622682c10e81da44448c226638a7fed9b531ab7a5f652c55b3e1a.exe
2728	c28384feb8d622682c10e81da44448c226638a7fed9b531ab7a5f652c55b3e1a.exe
2728	c28384feb8d622682c10e81da44448c226638a7fed9b531ab7a5f652c55b3e1a.exe
2728	c28384feb8d622682c10e81da44448c226638a7fed9b531ab7a5f652c55b3e1a.exe
2728	c28384feb8d622682c10e81da44448c226638a7fed9b531ab7a5f652c55b3e1a.exe
2728	c28384feb8d622682c10e81da44448c226638a7fed9b531ab7a5f652c55b3e1a.exe
2728	c28384feb8d622682c10e81da44448c226638a7fed9b531ab7a5f652c55b3e1a.exe
2728	c28384feb8d622682c10e81da44448c226638a7fed9b531ab7a5f652c55b3e1a.exe
2728	c28384feb8d622682c10e81da44448c226638a7fed9b531ab7a5f652c55b3e1a.exe
2728	c28384feb8d622682c10e81da44448c226638a7fed9b531ab7a5f652c55b3e1a.exe
2728	c28384feb8d622682c10e81da44448c226638a7fed9b531ab7a5f652c55b3e1a.exe
2728	c28384feb8d622682c10e81da44448c226638a7fed9b531ab7a5f652c55b3e1a.exe
2728	c28384feb8d622682c10e81da44448c226638a7fed9b531ab7a5f652c55b3e1a.exe
2728	c28384feb8d622682c10e81da44448c226638a7fed9b531ab7a5f652c55b3e1a.exe
2728	c28384feb8d622682c10e81da44448c226638a7fed9b531ab7a5f652c55b3e1a.exe
2728	c28384feb8d622682c10e81da44448c226638a7fed9b531ab7a5f652c55b3e1a.exe
2728	c28384feb8d622682c10e81da44448c226638a7fed9b531ab7a5f652c55b3e1a.exe
2728	c28384feb8d622682c10e81da44448c226638a7fed9b531ab7a5f652c55b3e1a.exe
2728	c28384feb8d622682c10e81da44448c226638a7fed9b531ab7a5f652c55b3e1a.exe
2728	c28384feb8d622682c10e81da44448c226638a7fed9b531ab7a5f652c55b3e1a.exe
2728	c28384feb8d622682c10e81da44448c226638a7fed9b531ab7a5f652c55b3e1a.exe
2728	c28384feb8d622682c10e81da44448c226638a7fed9b531ab7a5f652c55b3e1a.exe
2728	c28384feb8d622682c10e81da44448c226638a7fed9b531ab7a5f652c55b3e1a.exe
2728	c28384feb8d622682c10e81da44448c226638a7fed9b531ab7a5f652c55b3e1a.exe
2728	c28384feb8d622682c10e81da44448c226638a7fed9b531ab7a5f652c55b3e1a.exe
2728	c28384feb8d622682c10e81da44448c226638a7fed9b531ab7a5f652c55b3e1a.exe
2728	c28384feb8d622682c10e81da44448c226638a7fed9b531ab7a5f652c55b3e1a.exe
2728	c28384feb8d622682c10e81da44448c226638a7fed9b531ab7a5f652c55b3e1a.exe
2728	c28384feb8d622682c10e81da44448c226638a7fed9b531ab7a5f652c55b3e1a.exe
2728	c28384feb8d622682c10e81da44448c226638a7fed9b531ab7a5f652c55b3e1a.exe
2728	c28384feb8d622682c10e81da44448c226638a7fed9b531ab7a5f652c55b3e1a.exe
2728	c28384feb8d622682c10e81da44448c226638a7fed9b531ab7a5f652c55b3e1a.exe
2728	c28384feb8d622682c10e81da44448c226638a7fed9b531ab7a5f652c55b3e1a.exe
2728	c28384feb8d622682c10e81da44448c226638a7fed9b531ab7a5f652c55b3e1a.exe
2728	c28384feb8d622682c10e81da44448c226638a7fed9b531ab7a5f652c55b3e1a.exe
2728	c28384feb8d622682c10e81da44448c226638a7fed9b531ab7a5f652c55b3e1a.exe
2728	c28384feb8d622682c10e81da44448c226638a7fed9b531ab7a5f652c55b3e1a.exe
2728	c28384feb8d622682c10e81da44448c226638a7fed9b531ab7a5f652c55b3e1a.exe
2728	c28384feb8d622682c10e81da44448c226638a7fed9b531ab7a5f652c55b3e1a.exe
2728	c28384feb8d622682c10e81da44448c226638a7fed9b531ab7a5f652c55b3e1a.exe
2728	c28384feb8d622682c10e81da44448c226638a7fed9b531ab7a5f652c55b3e1a.exe
2728	c28384feb8d622682c10e81da44448c226638a7fed9b531ab7a5f652c55b3e1a.exe
2728	c28384feb8d622682c10e81da44448c226638a7fed9b531ab7a5f652c55b3e1a.exe
2728	c28384feb8d622682c10e81da44448c226638a7fed9b531ab7a5f652c55b3e1a.exe
2728	c28384feb8d622682c10e81da44448c226638a7fed9b531ab7a5f652c55b3e1a.exe
2728	c28384feb8d622682c10e81da44448c226638a7fed9b531ab7a5f652c55b3e1a.exe
2728	c28384feb8d622682c10e81da44448c226638a7fed9b531ab7a5f652c55b3e1a.exe
2728	c28384feb8d622682c10e81da44448c226638a7fed9b531ab7a5f652c55b3e1a.exe
2728	c28384feb8d622682c10e81da44448c226638a7fed9b531ab7a5f652c55b3e1a.exe
2728	c28384feb8d622682c10e81da44448c226638a7fed9b531ab7a5f652c55b3e1a.exe
2728	c28384feb8d622682c10e81da44448c226638a7fed9b531ab7a5f652c55b3e1a.exe
2728	c28384feb8d622682c10e81da44448c226638a7fed9b531ab7a5f652c55b3e1a.exe
2728	c28384feb8d622682c10e81da44448c226638a7fed9b531ab7a5f652c55b3e1a.exe
2728	c28384feb8d622682c10e81da44448c226638a7fed9b531ab7a5f652c55b3e1a.exe
2728	c28384feb8d622682c10e81da44448c226638a7fed9b531ab7a5f652c55b3e1a.exe
2728	c28384feb8d622682c10e81da44448c226638a7fed9b531ab7a5f652c55b3e1a.exe
2728	c28384feb8d622682c10e81da44448c226638a7fed9b531ab7a5f652c55b3e1a.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

c28384feb8d622682c10e81da44448c226638a7fed9b531ab7a5f652c55b3e1a.exe

pid	process
2728	c28384feb8d622682c10e81da44448c226638a7fed9b531ab7a5f652c55b3e1a.exe
2728	c28384feb8d622682c10e81da44448c226638a7fed9b531ab7a5f652c55b3e1a.exe
2728	c28384feb8d622682c10e81da44448c226638a7fed9b531ab7a5f652c55b3e1a.exe
2728	c28384feb8d622682c10e81da44448c226638a7fed9b531ab7a5f652c55b3e1a.exe

C:\Users\Admin\AppData\Local\Temp\c28384feb8d622682c10e81da44448c226638a7fed9b531ab7a5f652c55b3e1a.exe
"C:\Users\Admin\AppData\Local\Temp\c28384feb8d622682c10e81da44448c226638a7fed9b531ab7a5f652c55b3e1a.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\gema\gema.exe

Filesize
248KB

MD5
d3e517e198379ed5b8faf580bef47961

SHA1
5daf25a32e1a3f8dbbf14d488487c0175d266d60

SHA256
c28384feb8d622682c10e81da44448c226638a7fed9b531ab7a5f652c55b3e1a

SHA512
3902b8f850c5d1242840f7c61d38b677a7d98356097c939dd2f06ed9d18f1391784775ca213b1d3cf5a1e661f2d79a14f250bbfb8202124646ac89e451b0d162

Download Submit
memory/2728-0-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/2728-1-0x0000000000220000-0x0000000000234000-memory.dmp

Filesize
80KB

Download
memory/2728-2-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/2728-60-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/2728-1381-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download