713267ce8fa56f9746e7bf98f5c1fcffa7fe442787862a0f554b5d409782b4d6

Analysis

max time kernel
0s
max time network
119s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29-12-2023 22:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

057f66f605ca8d50ffe026d7b05712f2.exe
Size

24KB
MD5

057f66f605ca8d50ffe026d7b05712f2
SHA1

1231de1ea0a85805a8119167f951bdbea932fb59
SHA256

713267ce8fa56f9746e7bf98f5c1fcffa7fe442787862a0f554b5d409782b4d6
SHA512

2c2c9e87cb03714aba6eca0ebaeda45bcb48a4b125728bd0476ee9bd5ca920ddbbacf5023b3247bcfab8b0f7fd71373ec00b0f035069fe8a9d5c69c1f6452918
SSDEEP

384:E3eVES+/xwGkRKJilM61qmTTMVF9/q5b0:bGS+ZfbJiO8qYoAw

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Start GeekBuddy = "C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\spoolsv.exe"	057f66f605ca8d50ffe026d7b05712f2.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\Web Folders\1033\spoolsv.exe	057f66f605ca8d50ffe026d7b05712f2.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
2764	tasklist.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1856	ipconfig.exe
2128	NETSTAT.EXE

Runs net.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2764	tasklist.exe
Token: SeDebugPrivilege	2128	NETSTAT.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2268	057f66f605ca8d50ffe026d7b05712f2.exe
2268	057f66f605ca8d50ffe026d7b05712f2.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 2464	2268	057f66f605ca8d50ffe026d7b05712f2.exe	25
PID 2268 wrote to memory of 2464	2268	057f66f605ca8d50ffe026d7b05712f2.exe	25
PID 2268 wrote to memory of 2464	2268	057f66f605ca8d50ffe026d7b05712f2.exe	25
PID 2268 wrote to memory of 2464	2268	057f66f605ca8d50ffe026d7b05712f2.exe	25
PID 2464 wrote to memory of 2424	2464	cmd.exe	24
PID 2464 wrote to memory of 2424	2464	cmd.exe	24
PID 2464 wrote to memory of 2424	2464	cmd.exe	24
PID 2464 wrote to memory of 2424	2464	cmd.exe	24
PID 2464 wrote to memory of 1856	2464	cmd.exe	18
PID 2464 wrote to memory of 1856	2464	cmd.exe	18
PID 2464 wrote to memory of 1856	2464	cmd.exe	18
PID 2464 wrote to memory of 1856	2464	cmd.exe	18
PID 2464 wrote to memory of 2764	2464	cmd.exe	19
PID 2464 wrote to memory of 2764	2464	cmd.exe	19
PID 2464 wrote to memory of 2764	2464	cmd.exe	19
PID 2464 wrote to memory of 2764	2464	cmd.exe	19
PID 2464 wrote to memory of 2700	2464	cmd.exe	21
PID 2464 wrote to memory of 2700	2464	cmd.exe	21
PID 2464 wrote to memory of 2700	2464	cmd.exe	21
PID 2464 wrote to memory of 2700	2464	cmd.exe	21
PID 2700 wrote to memory of 2840	2700	net.exe	23
PID 2700 wrote to memory of 2840	2700	net.exe	23
PID 2700 wrote to memory of 2840	2700	net.exe	23
PID 2700 wrote to memory of 2840	2700	net.exe	23
PID 2464 wrote to memory of 2128	2464	cmd.exe	22
PID 2464 wrote to memory of 2128	2464	cmd.exe	22
PID 2464 wrote to memory of 2128	2464	cmd.exe	22
PID 2464 wrote to memory of 2128	2464	cmd.exe	22

C:\Users\Admin\AppData\Local\Temp\057f66f605ca8d50ffe026d7b05712f2.exe
"C:\Users\Admin\AppData\Local\Temp\057f66f605ca8d50ffe026d7b05712f2.exe"
1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ver >c:\windows\temp\flash.log & cmd /c set >>c:\windows\temp\flash.log & ipconfig /all >>c:\windows\temp\flash.log & tasklist >>c:\windows\temp\flash.log & net start>>c:\windows\temp\flash.log & netstat -an >>c:\windows\temp\flash.log
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2464

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /all
1⤵
- Gathers network information
PID:1856

C:\Windows\SysWOW64\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2764

C:\Windows\SysWOW64\net.exe
net start
1⤵
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Windows\SysWOW64\net1.exe
  C:\Windows\system32\net1 start
  2⤵
  PID:2840

C:\Windows\SysWOW64\NETSTAT.EXE
netstat -an
1⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:2128

C:\Windows\SysWOW64\cmd.exe
cmd /c set
1⤵
PID:2424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\temp\flash.log

Filesize
8KB

MD5
0b9dbfc65c02cf3e975f0a911140d37a

SHA1
b145b9b7906687899aa428f7a06f92511b6e851d

SHA256
450475431b1fe12b6e083e6f27ddb00a90967c2493643f08878a7dd8ff16e080

SHA512
24590912eb0302395306e1efc40d43140a2ff2ec360549b7a2c878aeac7cc8fe86e6c54f5543d7aadb76899501f7cf6a81f3da2ad14267daf47f7c1741c33208

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads