Analysis
-
max time kernel
119s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
18/01/2024, 00:22
Static task
static1
Behavioral task
behavioral1
Sample
63fe734e3127fcb4a381dbb11f537e54.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
63fe734e3127fcb4a381dbb11f537e54.exe
Resource
win10v2004-20231215-en
General
-
Target
63fe734e3127fcb4a381dbb11f537e54.exe
-
Size
24KB
-
MD5
63fe734e3127fcb4a381dbb11f537e54
-
SHA1
2172859ae3144a7df10889f409520fe8d4fb73dc
-
SHA256
f30ddd5555c5b60d7010b20fd6feb216717401d73f28b68c31ee4b555d53e061
-
SHA512
f6bfe8969c218fbae939df7bec5a6b1878eafd08296a3e44f0a865241da056f11d5820d7d540275e96ef30f95ffb92e8986b1d7eeca23bde904428fb7e2f903c
-
SSDEEP
384:E3eVES+/xwGkRKJXtlM61qmTTMVF9/q5P0:bGS+ZfbJ9O8qYoAs
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Start GeekBuddy = "C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\spoolsv.exe" 63fe734e3127fcb4a381dbb11f537e54.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files\Common Files\Microsoft Shared\Web Folders\1033\spoolsv.exe 63fe734e3127fcb4a381dbb11f537e54.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 2784 tasklist.exe -
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
pid Process 1072 ipconfig.exe 1164 NETSTAT.EXE -
Runs net.exe
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2784 tasklist.exe Token: SeDebugPrivilege 1164 NETSTAT.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 308 63fe734e3127fcb4a381dbb11f537e54.exe 308 63fe734e3127fcb4a381dbb11f537e54.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 308 wrote to memory of 1768 308 63fe734e3127fcb4a381dbb11f537e54.exe 28 PID 308 wrote to memory of 1768 308 63fe734e3127fcb4a381dbb11f537e54.exe 28 PID 308 wrote to memory of 1768 308 63fe734e3127fcb4a381dbb11f537e54.exe 28 PID 308 wrote to memory of 1768 308 63fe734e3127fcb4a381dbb11f537e54.exe 28 PID 1768 wrote to memory of 2332 1768 cmd.exe 30 PID 1768 wrote to memory of 2332 1768 cmd.exe 30 PID 1768 wrote to memory of 2332 1768 cmd.exe 30 PID 1768 wrote to memory of 2332 1768 cmd.exe 30 PID 1768 wrote to memory of 1072 1768 cmd.exe 31 PID 1768 wrote to memory of 1072 1768 cmd.exe 31 PID 1768 wrote to memory of 1072 1768 cmd.exe 31 PID 1768 wrote to memory of 1072 1768 cmd.exe 31 PID 1768 wrote to memory of 2784 1768 cmd.exe 32 PID 1768 wrote to memory of 2784 1768 cmd.exe 32 PID 1768 wrote to memory of 2784 1768 cmd.exe 32 PID 1768 wrote to memory of 2784 1768 cmd.exe 32 PID 1768 wrote to memory of 2748 1768 cmd.exe 34 PID 1768 wrote to memory of 2748 1768 cmd.exe 34 PID 1768 wrote to memory of 2748 1768 cmd.exe 34 PID 1768 wrote to memory of 2748 1768 cmd.exe 34 PID 2748 wrote to memory of 2724 2748 net.exe 35 PID 2748 wrote to memory of 2724 2748 net.exe 35 PID 2748 wrote to memory of 2724 2748 net.exe 35 PID 2748 wrote to memory of 2724 2748 net.exe 35 PID 1768 wrote to memory of 1164 1768 cmd.exe 36 PID 1768 wrote to memory of 1164 1768 cmd.exe 36 PID 1768 wrote to memory of 1164 1768 cmd.exe 36 PID 1768 wrote to memory of 1164 1768 cmd.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\63fe734e3127fcb4a381dbb11f537e54.exe"C:\Users\Admin\AppData\Local\Temp\63fe734e3127fcb4a381dbb11f537e54.exe"1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:308 -
C:\Windows\SysWOW64\cmd.execmd /c ver >c:\windows\temp\flash.log & cmd /c set >>c:\windows\temp\flash.log & ipconfig /all >>c:\windows\temp\flash.log & tasklist >>c:\windows\temp\flash.log & net start>>c:\windows\temp\flash.log & netstat -an >>c:\windows\temp\flash.log2⤵
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\SysWOW64\cmd.execmd /c set3⤵PID:2332
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all3⤵
- Gathers network information
PID:1072
-
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2784
-
-
C:\Windows\SysWOW64\net.exenet start3⤵
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start4⤵PID:2724
-
-
-
C:\Windows\SysWOW64\NETSTAT.EXEnetstat -an3⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:1164
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD5accb35fe48db448371c40186aff87a89
SHA1f3fd90f98bdfa9d968172c13fe0522fded798972
SHA256f613ef92a4caf66f2da6ba6118053cb89845e208d0a7e7b0b3c1aa828c806e04
SHA512b0ce1d2215ae39278da05f39483537762deb0b617c63bc8e56209eb8f0172911eec6686ceec4ad4a7f4aeb535678c43363b15b280dbeeb23d8d0d86c57c679ab