53f942eb67f92c6482a7ad6cd79ab72530bc0f6a603266d2e8e6c87ea6d0f7a5

Analysis

max time kernel
117s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
30-12-2023 03:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0cc46782416d5b4eb85f7675c679b03a.exe
Size

24KB
MD5

0cc46782416d5b4eb85f7675c679b03a
SHA1

a5e5f89adeaefad4aade8b7f576416197f68766b
SHA256

53f942eb67f92c6482a7ad6cd79ab72530bc0f6a603266d2e8e6c87ea6d0f7a5
SHA512

72348df660cf77740c7aa3a5449713c7aabcb801ee792bec26613291a543d6485d4a1ed294be002e064520c9b10fa5b8ef930a665758058d6393363b6f6b4368
SSDEEP

384:E3eVES+/xwGkRKJilM61qmTTMVF9/q5v0:bGS+ZfbJiO8qYoAM

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Start GeekBuddy = "C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\spoolsv.exe"	0cc46782416d5b4eb85f7675c679b03a.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\Web Folders\1033\spoolsv.exe	0cc46782416d5b4eb85f7675c679b03a.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
940	tasklist.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2740	ipconfig.exe
2672	NETSTAT.EXE

Runs net.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	940	tasklist.exe
Token: SeDebugPrivilege	2672	NETSTAT.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2316	0cc46782416d5b4eb85f7675c679b03a.exe
2316	0cc46782416d5b4eb85f7675c679b03a.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 2376	2316	0cc46782416d5b4eb85f7675c679b03a.exe	25
PID 2316 wrote to memory of 2376	2316	0cc46782416d5b4eb85f7675c679b03a.exe	25
PID 2316 wrote to memory of 2376	2316	0cc46782416d5b4eb85f7675c679b03a.exe	25
PID 2316 wrote to memory of 2376	2316	0cc46782416d5b4eb85f7675c679b03a.exe	25
PID 2376 wrote to memory of 3040	2376	cmd.exe	17
PID 2376 wrote to memory of 3040	2376	cmd.exe	17
PID 2376 wrote to memory of 3040	2376	cmd.exe	17
PID 2376 wrote to memory of 3040	2376	cmd.exe	17
PID 2376 wrote to memory of 2740	2376	cmd.exe	18
PID 2376 wrote to memory of 2740	2376	cmd.exe	18
PID 2376 wrote to memory of 2740	2376	cmd.exe	18
PID 2376 wrote to memory of 2740	2376	cmd.exe	18
PID 2376 wrote to memory of 940	2376	cmd.exe	19
PID 2376 wrote to memory of 940	2376	cmd.exe	19
PID 2376 wrote to memory of 940	2376	cmd.exe	19
PID 2376 wrote to memory of 940	2376	cmd.exe	19
PID 2376 wrote to memory of 2568	2376	cmd.exe	23
PID 2376 wrote to memory of 2568	2376	cmd.exe	23
PID 2376 wrote to memory of 2568	2376	cmd.exe	23
PID 2376 wrote to memory of 2568	2376	cmd.exe	23
PID 2568 wrote to memory of 2604	2568	net.exe	22
PID 2568 wrote to memory of 2604	2568	net.exe	22
PID 2568 wrote to memory of 2604	2568	net.exe	22
PID 2568 wrote to memory of 2604	2568	net.exe	22
PID 2376 wrote to memory of 2672	2376	cmd.exe	21
PID 2376 wrote to memory of 2672	2376	cmd.exe	21
PID 2376 wrote to memory of 2672	2376	cmd.exe	21
PID 2376 wrote to memory of 2672	2376	cmd.exe	21

C:\Users\Admin\AppData\Local\Temp\0cc46782416d5b4eb85f7675c679b03a.exe
"C:\Users\Admin\AppData\Local\Temp\0cc46782416d5b4eb85f7675c679b03a.exe"
1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ver >c:\windows\temp\flash.log & cmd /c set >>c:\windows\temp\flash.log & ipconfig /all >>c:\windows\temp\flash.log & tasklist >>c:\windows\temp\flash.log & net start>>c:\windows\temp\flash.log & netstat -an >>c:\windows\temp\flash.log
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2376

C:\Windows\SysWOW64\cmd.exe
cmd /c set
1⤵
PID:3040

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /all
1⤵
- Gathers network information
PID:2740

C:\Windows\SysWOW64\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:940

C:\Windows\SysWOW64\NETSTAT.EXE
netstat -an
1⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:2672

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start
1⤵
PID:2604

C:\Windows\SysWOW64\net.exe
net start
1⤵
- Suspicious use of WriteProcessMemory
PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\temp\flash.log

Filesize
8KB

MD5
9714ff196f674ea60d08f2f001d3c111

SHA1
6ed250302aebc4353b1e0e84b492afc1a8d6818e

SHA256
bf8017ad4d1551caede187ad04fca157d7a8fa612e3fb27edb5e77bcaf7568d6

SHA512
1b5e6271a413f7321a4b509ff0256ca3ba2ceb8d3d64d2407135f508c480204e82ddf17e790b103e00c310fba29f2d9bd13636294cd9927ab9575229d068aca2

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads