2d5db17bbbb72469b53f2c1801e27e79a2dc83f266ca34710e4689d0c7b03cf6

Analysis

max time kernel
40s
max time network
43s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11-05-2024 19:10

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

geode-installer-v2.0.0-beta.26-win.exe
Size

25.9MB
MD5

39d10002616e6d2142c8c1aeeec6327d
SHA1

c8b934c3ef5a82672dbaba0ff6671b29c53911cf
SHA256

2d5db17bbbb72469b53f2c1801e27e79a2dc83f266ca34710e4689d0c7b03cf6
SHA512

9988a04be109630114085463a6d90a426c9c8384edbbd8718cc5789bd29a955f8c6a90ab1f3b89a4d6ba3dd18128eae1bd65d261ca54f6c639cb94368235d72b
SSDEEP

786432:H4ybYCHgLccSo3DzHntXB7Ep+zJfKcf2zuP90:H40pA4cSkXHntXB7E4zH2890

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 3 IoCs

Processes:

geode-installer-v2.0.0-beta.26-win.exe

pid process

1676 geode-installer-v2.0.0-beta.26-win.exe
1676 geode-installer-v2.0.0-beta.26-win.exe
1676 geode-installer-v2.0.0-beta.26-win.exe
Drops file in Windows directory 1 IoCs

Processes:

mspaint.exe

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1676	geode-installer-v2.0.0-beta.26-win.exe
1676	geode-installer-v2.0.0-beta.26-win.exe
1676	geode-installer-v2.0.0-beta.26-win.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

POWERPNT.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	POWERPNT.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	POWERPNT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	POWERPNT.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	POWERPNT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	POWERPNT.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

POWERPNT.EXE

pid process

2488 POWERPNT.EXE
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

mspaint.exe

pid process

2548 mspaint.exe
2548 mspaint.exe
2548 mspaint.exe
2548 mspaint.exe

pid	process
2488	POWERPNT.EXE

pid	process
2548	mspaint.exe
2548	mspaint.exe
2548	mspaint.exe
2548	mspaint.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

POWERPNT.EXE

description	pid	process	target process
PID 2488 wrote to memory of 2440	2488	POWERPNT.EXE	splwow64.exe
PID 2488 wrote to memory of 2440	2488	POWERPNT.EXE	splwow64.exe
PID 2488 wrote to memory of 2440	2488	POWERPNT.EXE	splwow64.exe
PID 2488 wrote to memory of 2440	2488	POWERPNT.EXE	splwow64.exe

C:\Users\Admin\AppData\Local\Temp\geode-installer-v2.0.0-beta.26-win.exe
"C:\Users\Admin\AppData\Local\Temp\geode-installer-v2.0.0-beta.26-win.exe"
1⤵
- Loads dropped DLL
PID:1676

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\RestartNew.rle"
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2548

C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" /n "C:\Users\Admin\Desktop\RevokeSwitch.potm"
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of WriteProcessMemory
PID:2488

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:2440

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:2800

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:2480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsy24FF.tmp\LangDLL.dll

Filesize
5KB

MD5
549ee11198143574f4d9953198a09fe8

SHA1
2e89ba5f30e1c1c4ce517f28ec1505294bb6c4c1

SHA256
131aa0df90c08dce2eecee46cce8759e9afff04bf15b7b0002c2a53ae5e92c36

SHA512
0fb4cea4fd320381fe50c52d1c198261f0347d6dcee857917169fcc3e2083ed4933beff708e81d816787195cca050f3f5f9c5ac9cc7f781831b028ef5714bec8

Download Submit
\Users\Admin\AppData\Local\Temp\nsy24FF.tmp\System.dll

Filesize
12KB

MD5
192639861e3dc2dc5c08bb8f8c7260d5

SHA1
58d30e460609e22fa0098bc27d928b689ef9af78

SHA256
23d618a0293c78ce00f7c6e6dd8b8923621da7dd1f63a070163ef4c0ec3033d6

SHA512
6e573d8b2ef6ed719e271fd0b2fd9cd451f61fc9a9459330108d6d7a65a0f64016303318cad787aa1d5334ba670d8f1c7c13074e1be550b4a316963ecc465cdc

Download Submit
\Users\Admin\AppData\Local\Temp\nsy24FF.tmp\nsDialogs.dll

Filesize
9KB

MD5
b7d61f3f56abf7b7ff0d4e7da3ad783d

SHA1
15ab5219c0e77fd9652bc62ff390b8e6846c8e3e

SHA256
89a82c4849c21dfe765052681e1fad02d2d7b13c8b5075880c52423dca72a912

SHA512
6467c0de680fadb8078bdaa0d560d2b228f5a22d4d8358a1c7d564c6ebceface5d377b870eaf8985fbee727001da569867554154d568e3b37f674096bbafafb8

Download Submit
memory/2488-29-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2488-31-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2548-27-0x000007FEF62D0000-0x000007FEF631C000-memory.dmp

Filesize
304KB

Download
memory/2548-28-0x000007FEF62D0000-0x000007FEF631C000-memory.dmp

Filesize
304KB

Download