8e693a263d61a44a9ef68b7c082ed22453c9671919a75fc7b90be4ae67c07d76

Analysis

max time kernel
119s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
22/12/2023, 16:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea4e5df4f3581fb57c8c89f8eb2ab1fb.exe
Size

24KB
MD5

ea4e5df4f3581fb57c8c89f8eb2ab1fb
SHA1

ca81d40e97dfe23437d0e2d701eed90adf12f85a
SHA256

8e693a263d61a44a9ef68b7c082ed22453c9671919a75fc7b90be4ae67c07d76
SHA512

7161a7796cd698fec123d2b5ad2a6080cbe815b66ab7d855e69a8706321343fed5a70fe409353bd0ff600459f4c8db938aab2019263784a4a846b9dc7ba46745
SSDEEP

384:E3eVES+/xwGkRKJJIlM61qmTTMVF9/q5q0:bGS+ZfbJqO8qYoAb

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Start GeekBuddy = "C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\spoolsv.exe"	ea4e5df4f3581fb57c8c89f8eb2ab1fb.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\Web Folders\1033\spoolsv.exe	ea4e5df4f3581fb57c8c89f8eb2ab1fb.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
2752	tasklist.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2756	ipconfig.exe
2696	NETSTAT.EXE

Runs net.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2752	tasklist.exe
Token: SeDebugPrivilege	2696	NETSTAT.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3048	ea4e5df4f3581fb57c8c89f8eb2ab1fb.exe
3048	ea4e5df4f3581fb57c8c89f8eb2ab1fb.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 2720	3048	ea4e5df4f3581fb57c8c89f8eb2ab1fb.exe	28
PID 3048 wrote to memory of 2720	3048	ea4e5df4f3581fb57c8c89f8eb2ab1fb.exe	28
PID 3048 wrote to memory of 2720	3048	ea4e5df4f3581fb57c8c89f8eb2ab1fb.exe	28
PID 3048 wrote to memory of 2720	3048	ea4e5df4f3581fb57c8c89f8eb2ab1fb.exe	28
PID 2720 wrote to memory of 2668	2720	cmd.exe	30
PID 2720 wrote to memory of 2668	2720	cmd.exe	30
PID 2720 wrote to memory of 2668	2720	cmd.exe	30
PID 2720 wrote to memory of 2668	2720	cmd.exe	30
PID 2720 wrote to memory of 2756	2720	cmd.exe	31
PID 2720 wrote to memory of 2756	2720	cmd.exe	31
PID 2720 wrote to memory of 2756	2720	cmd.exe	31
PID 2720 wrote to memory of 2756	2720	cmd.exe	31
PID 2720 wrote to memory of 2752	2720	cmd.exe	32
PID 2720 wrote to memory of 2752	2720	cmd.exe	32
PID 2720 wrote to memory of 2752	2720	cmd.exe	32
PID 2720 wrote to memory of 2752	2720	cmd.exe	32
PID 2720 wrote to memory of 2796	2720	cmd.exe	34
PID 2720 wrote to memory of 2796	2720	cmd.exe	34
PID 2720 wrote to memory of 2796	2720	cmd.exe	34
PID 2720 wrote to memory of 2796	2720	cmd.exe	34
PID 2796 wrote to memory of 2684	2796	net.exe	35
PID 2796 wrote to memory of 2684	2796	net.exe	35
PID 2796 wrote to memory of 2684	2796	net.exe	35
PID 2796 wrote to memory of 2684	2796	net.exe	35
PID 2720 wrote to memory of 2696	2720	cmd.exe	36
PID 2720 wrote to memory of 2696	2720	cmd.exe	36
PID 2720 wrote to memory of 2696	2720	cmd.exe	36
PID 2720 wrote to memory of 2696	2720	cmd.exe	36

C:\Users\Admin\AppData\Local\Temp\ea4e5df4f3581fb57c8c89f8eb2ab1fb.exe
"C:\Users\Admin\AppData\Local\Temp\ea4e5df4f3581fb57c8c89f8eb2ab1fb.exe"
1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ver >c:\windows\temp\flash.log & cmd /c set >>c:\windows\temp\flash.log & ipconfig /all >>c:\windows\temp\flash.log & tasklist >>c:\windows\temp\flash.log & net start>>c:\windows\temp\flash.log & netstat -an >>c:\windows\temp\flash.log
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c set
    3⤵
    PID:2668
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /all
    3⤵
    - Gathers network information
    PID:2756
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2752
- - C:\Windows\SysWOW64\net.exe
    net start
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2796
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start
      4⤵
      PID:2684
- - C:\Windows\SysWOW64\NETSTAT.EXE
    netstat -an
    3⤵
    - Gathers network information
    - Suspicious use of AdjustPrivilegeToken
    PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\temp\flash.log

Filesize
8KB

MD5
c9d079328dadda3e7fa132d2892c7aed

SHA1
edc4babbc05869699d1a0dbd0680135e9de1896b

SHA256
ebefa9e50751eb5a03c916f1c2e9a6c12cb03f516f156a9167df2256424614a1

SHA512
fdf186aededfbc57419f83e3dfcea84137e977a7545f58b77d0d4804fd26cfbf385e3482b2d2b8031fb0fac0493cbe39638e14ee0b7cc7cf5c306e04ea3c831f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads