5b24fb4d7450585d36d7555898614a63e08e5a2118ced5298b7c72029ef3044a

Analysis

max time kernel
0s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 14:47

Target

26d12460ba71b6257e385ab02ad672cd.exe
Size

24KB
MD5

26d12460ba71b6257e385ab02ad672cd
SHA1

8f1c53e7448b92e54001a490e826e1d6ef1e696e
SHA256

5b24fb4d7450585d36d7555898614a63e08e5a2118ced5298b7c72029ef3044a
SHA512

5afb52d5a72e293c0cd905ca0504a16f4e753e35e12add48507c650699e5d8b5a9657b4092d80b4427e64c1be6ce2434527c5be44bebf7395f376be0d824c26e
SSDEEP

384:E3eVES+/xwGkRKJqjzrklM61qmTTMVF9/q5G0:bGS+ZfbJq7kO8qYoAv

Score

6^/10

persistence

Adds Run key to start application 2 TTPs 1 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Start GeekBuddy = "C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\spoolsv.exe"	26d12460ba71b6257e385ab02ad672cd.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\Web Folders\1033\spoolsv.exe	26d12460ba71b6257e385ab02ad672cd.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

pid	Process
2432	tasklist.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

Command and Scripting Interpreter

pid	Process
2572	NETSTAT.EXE
2916	ipconfig.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2432	tasklist.exe
Token: SeDebugPrivilege	2572	NETSTAT.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3060	26d12460ba71b6257e385ab02ad672cd.exe
3060	26d12460ba71b6257e385ab02ad672cd.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 3060 wrote to memory of 2152	3060	26d12460ba71b6257e385ab02ad672cd.exe	23
PID 3060 wrote to memory of 2152	3060	26d12460ba71b6257e385ab02ad672cd.exe	23
PID 3060 wrote to memory of 2152	3060	26d12460ba71b6257e385ab02ad672cd.exe	23
PID 3060 wrote to memory of 2152	3060	26d12460ba71b6257e385ab02ad672cd.exe	23
PID 2152 wrote to memory of 3048	2152	cmd.exe	21
PID 2152 wrote to memory of 3048	2152	cmd.exe	21
PID 2152 wrote to memory of 3048	2152	cmd.exe	21
PID 2152 wrote to memory of 3048	2152	cmd.exe	21
PID 2152 wrote to memory of 2916	2152	cmd.exe	20
PID 2152 wrote to memory of 2916	2152	cmd.exe	20
PID 2152 wrote to memory of 2916	2152	cmd.exe	20
PID 2152 wrote to memory of 2916	2152	cmd.exe	20
PID 2152 wrote to memory of 2432	2152	cmd.exe	15
PID 2152 wrote to memory of 2432	2152	cmd.exe	15
PID 2152 wrote to memory of 2432	2152	cmd.exe	15
PID 2152 wrote to memory of 2432	2152	cmd.exe	15
PID 2152 wrote to memory of 2684	2152	cmd.exe	19
PID 2152 wrote to memory of 2684	2152	cmd.exe	19
PID 2152 wrote to memory of 2684	2152	cmd.exe	19
PID 2152 wrote to memory of 2684	2152	cmd.exe	19
PID 2684 wrote to memory of 2720	2684	net.exe	17
PID 2684 wrote to memory of 2720	2684	net.exe	17
PID 2684 wrote to memory of 2720	2684	net.exe	17
PID 2684 wrote to memory of 2720	2684	net.exe	17
PID 2152 wrote to memory of 2572	2152	cmd.exe	18
PID 2152 wrote to memory of 2572	2152	cmd.exe	18
PID 2152 wrote to memory of 2572	2152	cmd.exe	18
PID 2152 wrote to memory of 2572	2152	cmd.exe	18

C:\Users\Admin\AppData\Local\Temp\26d12460ba71b6257e385ab02ad672cd.exe
"C:\Users\Admin\AppData\Local\Temp\26d12460ba71b6257e385ab02ad672cd.exe"
1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3060
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ver >c:\windows\temp\flash.log & cmd /c set >>c:\windows\temp\flash.log & ipconfig /all >>c:\windows\temp\flash.log & tasklist >>c:\windows\temp\flash.log & net start>>c:\windows\temp\flash.log & netstat -an >>c:\windows\temp\flash.log
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2152