Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
30/12/2023, 03:20
Static task
static1
Behavioral task
behavioral1
Sample
0cc46782416d5b4eb85f7675c679b03a.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
0cc46782416d5b4eb85f7675c679b03a.exe
Resource
win10v2004-20231222-en
General
-
Target
0cc46782416d5b4eb85f7675c679b03a.exe
-
Size
24KB
-
MD5
0cc46782416d5b4eb85f7675c679b03a
-
SHA1
a5e5f89adeaefad4aade8b7f576416197f68766b
-
SHA256
53f942eb67f92c6482a7ad6cd79ab72530bc0f6a603266d2e8e6c87ea6d0f7a5
-
SHA512
72348df660cf77740c7aa3a5449713c7aabcb801ee792bec26613291a543d6485d4a1ed294be002e064520c9b10fa5b8ef930a665758058d6393363b6f6b4368
-
SSDEEP
384:E3eVES+/xwGkRKJilM61qmTTMVF9/q5v0:bGS+ZfbJiO8qYoAM
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Start GeekBuddy = "C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\spoolsv.exe" 0cc46782416d5b4eb85f7675c679b03a.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files\Common Files\Microsoft Shared\Web Folders\1033\spoolsv.exe 0cc46782416d5b4eb85f7675c679b03a.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 1012 tasklist.exe -
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
pid Process 712 ipconfig.exe 452 NETSTAT.EXE -
Runs net.exe
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1012 tasklist.exe Token: SeDebugPrivilege 452 NETSTAT.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4692 0cc46782416d5b4eb85f7675c679b03a.exe 4692 0cc46782416d5b4eb85f7675c679b03a.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 4692 wrote to memory of 2484 4692 0cc46782416d5b4eb85f7675c679b03a.exe 18 PID 4692 wrote to memory of 2484 4692 0cc46782416d5b4eb85f7675c679b03a.exe 18 PID 4692 wrote to memory of 2484 4692 0cc46782416d5b4eb85f7675c679b03a.exe 18 PID 2484 wrote to memory of 3292 2484 cmd.exe 26 PID 2484 wrote to memory of 3292 2484 cmd.exe 26 PID 2484 wrote to memory of 3292 2484 cmd.exe 26 PID 2484 wrote to memory of 712 2484 cmd.exe 22 PID 2484 wrote to memory of 712 2484 cmd.exe 22 PID 2484 wrote to memory of 712 2484 cmd.exe 22 PID 2484 wrote to memory of 1012 2484 cmd.exe 23 PID 2484 wrote to memory of 1012 2484 cmd.exe 23 PID 2484 wrote to memory of 1012 2484 cmd.exe 23 PID 2484 wrote to memory of 4300 2484 cmd.exe 34 PID 2484 wrote to memory of 4300 2484 cmd.exe 34 PID 2484 wrote to memory of 4300 2484 cmd.exe 34 PID 4300 wrote to memory of 1292 4300 net.exe 31 PID 4300 wrote to memory of 1292 4300 net.exe 31 PID 4300 wrote to memory of 1292 4300 net.exe 31 PID 2484 wrote to memory of 452 2484 cmd.exe 33 PID 2484 wrote to memory of 452 2484 cmd.exe 33 PID 2484 wrote to memory of 452 2484 cmd.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\0cc46782416d5b4eb85f7675c679b03a.exe"C:\Users\Admin\AppData\Local\Temp\0cc46782416d5b4eb85f7675c679b03a.exe"1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4692 -
C:\Windows\SysWOW64\cmd.execmd /c ver >c:\windows\temp\flash.log & cmd /c set >>c:\windows\temp\flash.log & ipconfig /all >>c:\windows\temp\flash.log & tasklist >>c:\windows\temp\flash.log & net start>>c:\windows\temp\flash.log & netstat -an >>c:\windows\temp\flash.log2⤵
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /all3⤵
- Gathers network information
PID:712
-
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1012
-
-
C:\Windows\SysWOW64\cmd.execmd /c set3⤵PID:3292
-
-
C:\Windows\SysWOW64\NETSTAT.EXEnetstat -an3⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:452
-
-
C:\Windows\SysWOW64\net.exenet start3⤵
- Suspicious use of WriteProcessMemory
PID:4300
-
-
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start1⤵PID:1292
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD517daf79620b8648b0dff98aeafabec57
SHA18c7ecd236f4558c7dfb6959dd0b61ae527df1124
SHA256e1e48823d8661ddcf722e039845ec225721e965f3506f23fe7ab62106338ceed
SHA512f61c84af6cd4f7fde8ec94b1145c2ae44cc077dd6d7188d5d714a821beddf53b5fc775142c465231ec33d1c53a666a553e122df1d93cc9677365cf05efdfb9b0