b4fb522c3ace596c6464955c11a33f2de2fbc23a1eba91cbdcf3b4ced7e16413

Analysis

max time kernel
157s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23-11-2024 23:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

geode-installer-v4.0.1-win.exe
Size

37.4MB
MD5

481c805b21fd4253fb77b8a4c1837427
SHA1

0e6d51d5db91496e308c4d6c9bd21c1eb105b1ed
SHA256

b4fb522c3ace596c6464955c11a33f2de2fbc23a1eba91cbdcf3b4ced7e16413
SHA512

df8d828ae41b9c2bdb75d486f6ecdebeb8c975694ec4e37b56f95607eaceeaab2acbbe7c83a3f8491d19820a2c0158ab34dcc36e85ca7a1cd1764e3dd34477aa
SSDEEP

786432:xnLgHQ+u0t810rtZAicXagU5ybyjvXjcMqoS/dxggOo:xnIltQ0XtrXjcrDFdOo

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
2108	geode-installer-v4.0.1-win.exe
2108	geode-installer-v4.0.1-win.exe
2108	geode-installer-v4.0.1-win.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	geode-installer-v4.0.1-win.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2612	EXCEL.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2612	EXCEL.EXE
2612	EXCEL.EXE
2612	EXCEL.EXE
2612	EXCEL.EXE

C:\Users\Admin\AppData\Local\Temp\geode-installer-v4.0.1-win.exe
"C:\Users\Admin\AppData\Local\Temp\geode-installer-v4.0.1-win.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2108

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsyBD58.tmp\modern-wizard.bmp

Filesize
201KB

MD5
3c5626cfc549b9a2fc147f84601a68b1

SHA1
df2015ab7aa2eb9943cc5929fb9f7ec14a26b71e

SHA256
4873a57c9b2d697e4f8689ff7a2f785fb836a6289bc377320987b5541856234c

SHA512
b076a7c5350a8fda2f641c052bab4f87a602f313c91a3c0ceab2da45f9753cd89ee97497a5c67552e65a97de1366e69bfc531f6b728224e86314b90b91fd9511

Download Submit
\Users\Admin\AppData\Local\Temp\nsyBD58.tmp\LangDLL.dll

Filesize
8KB

MD5
313661ec12ed5ce1fd0b3292bf02cb69

SHA1
fd341676cf680a9f0f690c35b43feadc0693e9a8

SHA256
2e08e077a0800ec39c0596f4dd91cbbfa917eeef2d75a00767917b8d1f6884ac

SHA512
a16f35c6019eb1431a3d03fb7d0935c272756f2a8363f541e168a55b2e20a85ee90191715c845ab0588eef8f2af6cf91ac75c5bf1a5d0c61c513339006da9ff2

Download Submit
\Users\Admin\AppData\Local\Temp\nsyBD58.tmp\System.dll

Filesize
28KB

MD5
81e34f1c4b04a15dbce200c52f598f67

SHA1
f40a922ad7a5494e2aeeaa2b961d96738e888af7

SHA256
b89448b9fd7be5ef215cac6d973a57c0e75e1fffa25552afe174855c9b71fdf9

SHA512
577f52a292075269f0e8ec4c6d243b2ed411872e009839553020929a8263174ad97943f150543e4ea6cb327d95e227f4065441a9d2106b7cabf1cb872dbcc181

Download Submit
\Users\Admin\AppData\Local\Temp\nsyBD58.tmp\nsDialogs.dll

Filesize
14KB

MD5
2726673c720a296442c8ed134b41d169

SHA1
b8050c85017fcda78f6b82cc86ad277bb0dbd539

SHA256
778b2bfbf3f4e641161f40c8174442a4d3865f097e3a2a383356dbfcac8005ab

SHA512
95fd8cd96a4c627dfc1a89a98630ead3fe431360ab15f2324a52fdd03b2b493bdc44a4d6d0189276826725ea4e48aeb4711459a459b92a80be51e9431b70bb0b

Download Submit
memory/2108-15-0x0000000074FB0000-0x0000000074FBC000-memory.dmp

Filesize
48KB

Download
memory/2108-22-0x0000000074FB0000-0x0000000074FBC000-memory.dmp

Filesize
48KB

Download
memory/2108-23-0x0000000074FA0000-0x0000000074FAF000-memory.dmp

Filesize
60KB

Download
memory/2108-21-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2108-30-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2108-14-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2108-42-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2612-43-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2612-44-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download