e5f0e7040124109ecc2063a5b24e73f581fb84a2be6e961e24fbfe84af39cdcc

Analysis

max time kernel
142s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 11:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

17c14fb16e615f8f665af85d30590727.exe
Size

24KB
MD5

17c14fb16e615f8f665af85d30590727
SHA1

d8a6168d2af3d23064ed69c04dfb67395a00e8ec
SHA256

e5f0e7040124109ecc2063a5b24e73f581fb84a2be6e961e24fbfe84af39cdcc
SHA512

a91322f5fe4cedb64aabac0cec6c718880dde6e48583d9d436edf3ba6835671bb53fa8405815c583fdcff741a20a9d4e87f233042d2c166610e54f12e18242ba
SSDEEP

384:E3eVES+/xwGkRKJXElM61qmTTMVF9/q5l20:bGS+ZfbJ0O8qYoAJ

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Start GeekBuddy = "C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\spoolsv.exe"	17c14fb16e615f8f665af85d30590727.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\Web Folders\1033\spoolsv.exe	17c14fb16e615f8f665af85d30590727.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
2532	tasklist.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4512	ipconfig.exe
664	NETSTAT.EXE

Runs net.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2532	tasklist.exe
Token: SeDebugPrivilege	664	NETSTAT.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3608	17c14fb16e615f8f665af85d30590727.exe
3608	17c14fb16e615f8f665af85d30590727.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 3608 wrote to memory of 2512	3608	17c14fb16e615f8f665af85d30590727.exe	92
PID 3608 wrote to memory of 2512	3608	17c14fb16e615f8f665af85d30590727.exe	92
PID 3608 wrote to memory of 2512	3608	17c14fb16e615f8f665af85d30590727.exe	92
PID 2512 wrote to memory of 1908	2512	cmd.exe	95
PID 2512 wrote to memory of 1908	2512	cmd.exe	95
PID 2512 wrote to memory of 1908	2512	cmd.exe	95
PID 2512 wrote to memory of 4512	2512	cmd.exe	96
PID 2512 wrote to memory of 4512	2512	cmd.exe	96
PID 2512 wrote to memory of 4512	2512	cmd.exe	96
PID 2512 wrote to memory of 2532	2512	cmd.exe	97
PID 2512 wrote to memory of 2532	2512	cmd.exe	97
PID 2512 wrote to memory of 2532	2512	cmd.exe	97
PID 2512 wrote to memory of 1484	2512	cmd.exe	99
PID 2512 wrote to memory of 1484	2512	cmd.exe	99
PID 2512 wrote to memory of 1484	2512	cmd.exe	99
PID 1484 wrote to memory of 3560	1484	net.exe	100
PID 1484 wrote to memory of 3560	1484	net.exe	100
PID 1484 wrote to memory of 3560	1484	net.exe	100
PID 2512 wrote to memory of 664	2512	cmd.exe	101
PID 2512 wrote to memory of 664	2512	cmd.exe	101
PID 2512 wrote to memory of 664	2512	cmd.exe	101

C:\Users\Admin\AppData\Local\Temp\17c14fb16e615f8f665af85d30590727.exe
"C:\Users\Admin\AppData\Local\Temp\17c14fb16e615f8f665af85d30590727.exe"
1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3608
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ver >c:\windows\temp\flash.log & cmd /c set >>c:\windows\temp\flash.log & ipconfig /all >>c:\windows\temp\flash.log & tasklist >>c:\windows\temp\flash.log & net start>>c:\windows\temp\flash.log & netstat -an >>c:\windows\temp\flash.log
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2512
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c set
    3⤵
    PID:1908
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /all
    3⤵
    - Gathers network information
    PID:4512
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2532
- - C:\Windows\SysWOW64\net.exe
    net start
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1484
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start
      4⤵
      PID:3560
- - C:\Windows\SysWOW64\NETSTAT.EXE
    netstat -an
    3⤵
    - Gathers network information
    - Suspicious use of AdjustPrivilegeToken
    PID:664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\temp\flash.log

Filesize
15KB

MD5
5aa3a2be8727a4b0a54c853de970dee2

SHA1
0b176386487f6eedc7de3dbbb2a39fd759a9f001

SHA256
04788c9177f81bd949288f0ad9613fd33017f5b720d8219056ec32a3502a75c0

SHA512
4257e96897123822b3fc4faf32c33b84a7b2a9acbab5b5a5d60f4f4b9e6bd3506a21277a20442cec2f9d9783df8a367c60ebac5b97a842ef45c4cee6ed86c0db

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads