Resubmissions
10-01-2025 03:28
250110-d1vwfszqbt 810-01-2025 03:26
250110-dzcy9aspfr 808-01-2025 04:07
250108-epr6vswjcl 808-01-2025 03:43
250108-d94vqaspcw 10Analysis
-
max time kernel
222s -
max time network
215s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
10-01-2025 03:28
General
-
Target
https://gemini-desktop.com/download/gemini.exe
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gemini-desktop.com/download/gemini.exe1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff81e1e46f8,0x7ff81e1e4708,0x7ff81e1e47182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,16037393198685084529,1939546045049120008,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2068 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,16037393198685084529,1939546045049120008,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2052,16037393198685084529,1939546045049120008,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2700 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,16037393198685084529,1939546045049120008,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,16037393198685084529,1939546045049120008,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,16037393198685084529,1939546045049120008,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5092 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,16037393198685084529,1939546045049120008,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5092 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,16037393198685084529,1939546045049120008,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,16037393198685084529,1939546045049120008,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,16037393198685084529,1939546045049120008,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4160 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,16037393198685084529,1939546045049120008,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2052,16037393198685084529,1939546045049120008,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5352 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,16037393198685084529,1939546045049120008,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2052,16037393198685084529,1939546045049120008,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6140 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2052,16037393198685084529,1939546045049120008,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Downloads\gemini.exe"C:\Users\Admin\Downloads\gemini.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\is-ODEO7.tmp\gemini.tmp"C:\Users\Admin\AppData\Local\Temp\is-ODEO7.tmp\gemini.tmp" /SL5="$9025C,107203419,761856,C:\Users\Admin\Downloads\gemini.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\is-SIR4E.tmp\driver.exe"C:\Users\Admin\AppData\Local\Temp\is-SIR4E.tmp\driver.exe"4⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C del /f /q "C:\Users\Admin\AppData\Local\Temp\is-SIR4E.tmp\driver.exe"4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,16037393198685084529,1939546045049120008,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5704 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD556a4f78e21616a6e19da57228569489b
SHA121bfabbfc294d5f2aa1da825c5590d760483bc76
SHA256d036661e765ee8fd18978a2b5501e8df6b220e4bca531d9860407555294c96fb
SHA512c2c3cd1152bb486028fe75ab3ce0d0bc9d64c4ca7eb8860ddd934b2f6e0140d2c913af4fa082b88e92a6a6d20fd483a1cb9813209f371a0f56374bc97d7f863b
-
Filesize
152B
MD5e443ee4336fcf13c698b8ab5f3c173d0
SHA19bf70b16f03820cbe3158e1f1396b07b8ac9d75a
SHA25679e277da2074f9467e0518f0f26ca2ba74914bee82553f935a0ccf64a0119e8b
SHA512cbf6f6aa0ea69b47f51592296da2b7be1180e7b483c61b4d17ba9ee1a2d3345cbe0987b96f4e25de1438b553db358f330aad8a26e8522601f055c3d5a8313cdd
-
Filesize
6KB
MD52196eede92afba3de36ad07b849d22e4
SHA1224344b1c1a5b6de38e96c4c65bca44303d14b19
SHA256b8459167c10b33353970b290e0783306acf2de298667b322da759a4d037422cc
SHA512863bc7d7a4bfe3635318989b08594088a638548bda2832bcd61d509cbfe09da1d6fdaa93da40ba88054af96eaaf26cafdbc1c4eaebf564a0c13aad242da40571
-
Filesize
5KB
MD509e5eaa53482aa8cf4b4e416ac362de8
SHA1d3e6e1946a10330093de73389428b6ede6583d3b
SHA256a5e1ddc4a4fa540e5b6329105c8891b28605760aaea30f3d6b7a9c96dba9613c
SHA5121d012b22dd5cb3734b0eba4ca504d28d63c3adfa39b105dae646fa2fae6f3a48aaa84436782b8406195096c77a8e7f1032eaf2f65bfaf86585eec4bdb93a1ae5
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD500581d8567c5567b3ff27be0781568c2
SHA1e7dd8c30b13972873c2392f1cc14663994f744a9
SHA25648a6a2146879fb82f69f6bf5bc6d521c1f60dd7e4fe7c9ed9de1e4aad681a2cb
SHA5124cdd8b4ff84feb0564a01d7e36f82ef32e1d24a70b1a790b8d730c7b76437b41935774f7c4a6af410fde3c04ebb368eac3df21133edf1c98fd9c67bc20005c9d
-
Filesize
10KB
MD5135746496636761bbef4a5fbfc185e7f
SHA13448bdec856eaa4caa91b463af22b7bbd8a7e3cc
SHA256ad1a6fd21c9a8fa596bc27faf4c68b8a0405a8cbaae58cc7e338646a9f3195db
SHA512b61b26f92c47c365de7903588e2b01d0a3ac4159059aec1c91b50349379a9552178c1392c31a4ff4a5ecd26990f1d31f8916c463d6e5b154ad71f1860d8593cb
-
Filesize
2.9MB
MD59e3d21ba2007d8f2d178a26c21ced9f0
SHA1cf39a2f89bc9d72404b74d19b48938f4ae3ee0fa
SHA25621a8d0d1ac67a892e8d2e4f04e5fae2683bc43e384ef6d9ee6005ddea1b966a1
SHA512295c7dc56c943b76fdc07a3505a081de21c2c8860b034c77780d8257ac8008fbeaa9240524ce08b2a6bb13530f780b669ebc5d8c5ebd6b0be840d7549bed76b6
-
Filesize
7.2MB
MD5f0f8cdf115e89e3caab43f50658ba709
SHA119dfa9bc7437c7ec11dd4192700f2b9c9b324cef
SHA256cfc26c6a0f8fec7312ba9c79a3d186cbe01867936c7ade98f201fbf9b6ab90a5
SHA512697ad6802af19932003ea95ad0210b782d778ae41aefb1192a4ff58b05c1c124d9935df60e16e374dc7c1e0f4e197e4cb423dd10bd81cb8c6c6ffd44f48f972e
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
800KB
-
Filesize
800KB
-
Filesize
800KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB