Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
25-01-2024 16:51
Static task
static1
Behavioral task
behavioral1
Sample
75031ef7283843b9efd6fb53819ffa4f.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
75031ef7283843b9efd6fb53819ffa4f.exe
Resource
win10v2004-20231222-en
General
-
Target
75031ef7283843b9efd6fb53819ffa4f.exe
-
Size
24KB
-
MD5
75031ef7283843b9efd6fb53819ffa4f
-
SHA1
17f98391b2f17751f49ee7755e6d574a8cff9a36
-
SHA256
98bbb4787140f7eb6a67fae0cadcec8632bf9dd4f5784459c6d74e4d309f281b
-
SHA512
c32621bb0347f08f02b2dcd55cd6dd8e193c58faaafa0827da2c083512d0846e1666e767f47692bfb1373c7c42405eb0f37b0f1b763886d6d7859eaae2caabc5
-
SSDEEP
384:E3eVES+/xwGkRKJmwQlM61qmTTMVF9/q5O0:bGS+ZfbJRQO8qYoAn
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
75031ef7283843b9efd6fb53819ffa4f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Start GeekBuddy = "C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\spoolsv.exe" 75031ef7283843b9efd6fb53819ffa4f.exe -
Drops file in Program Files directory 1 IoCs
Processes:
75031ef7283843b9efd6fb53819ffa4f.exedescription ioc process File created C:\Program Files\Common Files\Microsoft Shared\Web Folders\1033\spoolsv.exe 75031ef7283843b9efd6fb53819ffa4f.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exeNETSTAT.EXEpid process 2240 ipconfig.exe 2672 NETSTAT.EXE -
Runs net.exe
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
tasklist.exeNETSTAT.EXEdescription pid process Token: SeDebugPrivilege 1696 tasklist.exe Token: SeDebugPrivilege 2672 NETSTAT.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
75031ef7283843b9efd6fb53819ffa4f.exepid process 624 75031ef7283843b9efd6fb53819ffa4f.exe 624 75031ef7283843b9efd6fb53819ffa4f.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
75031ef7283843b9efd6fb53819ffa4f.execmd.exenet.exedescription pid process target process PID 624 wrote to memory of 2992 624 75031ef7283843b9efd6fb53819ffa4f.exe cmd.exe PID 624 wrote to memory of 2992 624 75031ef7283843b9efd6fb53819ffa4f.exe cmd.exe PID 624 wrote to memory of 2992 624 75031ef7283843b9efd6fb53819ffa4f.exe cmd.exe PID 624 wrote to memory of 2992 624 75031ef7283843b9efd6fb53819ffa4f.exe cmd.exe PID 2992 wrote to memory of 1196 2992 cmd.exe cmd.exe PID 2992 wrote to memory of 1196 2992 cmd.exe cmd.exe PID 2992 wrote to memory of 1196 2992 cmd.exe cmd.exe PID 2992 wrote to memory of 1196 2992 cmd.exe cmd.exe PID 2992 wrote to memory of 2240 2992 cmd.exe ipconfig.exe PID 2992 wrote to memory of 2240 2992 cmd.exe ipconfig.exe PID 2992 wrote to memory of 2240 2992 cmd.exe ipconfig.exe PID 2992 wrote to memory of 2240 2992 cmd.exe ipconfig.exe PID 2992 wrote to memory of 1696 2992 cmd.exe tasklist.exe PID 2992 wrote to memory of 1696 2992 cmd.exe tasklist.exe PID 2992 wrote to memory of 1696 2992 cmd.exe tasklist.exe PID 2992 wrote to memory of 1696 2992 cmd.exe tasklist.exe PID 2992 wrote to memory of 2580 2992 cmd.exe net.exe PID 2992 wrote to memory of 2580 2992 cmd.exe net.exe PID 2992 wrote to memory of 2580 2992 cmd.exe net.exe PID 2992 wrote to memory of 2580 2992 cmd.exe net.exe PID 2580 wrote to memory of 2656 2580 net.exe net1.exe PID 2580 wrote to memory of 2656 2580 net.exe net1.exe PID 2580 wrote to memory of 2656 2580 net.exe net1.exe PID 2580 wrote to memory of 2656 2580 net.exe net1.exe PID 2992 wrote to memory of 2672 2992 cmd.exe NETSTAT.EXE PID 2992 wrote to memory of 2672 2992 cmd.exe NETSTAT.EXE PID 2992 wrote to memory of 2672 2992 cmd.exe NETSTAT.EXE PID 2992 wrote to memory of 2672 2992 cmd.exe NETSTAT.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\75031ef7283843b9efd6fb53819ffa4f.exe"C:\Users\Admin\AppData\Local\Temp\75031ef7283843b9efd6fb53819ffa4f.exe"1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Windows\SysWOW64\cmd.execmd /c ver >c:\windows\temp\flash.log & cmd /c set >>c:\windows\temp\flash.log & ipconfig /all >>c:\windows\temp\flash.log & tasklist >>c:\windows\temp\flash.log & net start>>c:\windows\temp\flash.log & netstat -an >>c:\windows\temp\flash.log2⤵
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\cmd.execmd /c set3⤵PID:1196
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all3⤵
- Gathers network information
PID:2240 -
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1696 -
C:\Windows\SysWOW64\net.exenet start3⤵
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start4⤵PID:2656
-
C:\Windows\SysWOW64\NETSTAT.EXEnetstat -an3⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:2672
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
\??\c:\windows\temp\flash.logFilesize
8KB
MD5518f19a5c1277a7bb1330bdc112d88be
SHA1b030c44cfeea32128361c894cc4c6b2348b96a0e
SHA256a9b2447107634bbd9f2a9f43d7e812fc5ba1268f30b0e5fd32d6ac56652f76d2
SHA512bd7eaf249f09941c517203db09b6aacb4bd6ba1da95c8198ad96c85db4d89dc0025cb1a4f05d1159a09cd7246de823f0a34ec5cb2d6f260e98bf0a3b90288ca7