98bbb4787140f7eb6a67fae0cadcec8632bf9dd4f5784459c6d74e4d309f281b

General

Target

75031ef7283843b9efd6fb53819ffa4f.exe
Size

24KB
MD5

75031ef7283843b9efd6fb53819ffa4f
SHA1

17f98391b2f17751f49ee7755e6d574a8cff9a36
SHA256

98bbb4787140f7eb6a67fae0cadcec8632bf9dd4f5784459c6d74e4d309f281b
SHA512

c32621bb0347f08f02b2dcd55cd6dd8e193c58faaafa0827da2c083512d0846e1666e767f47692bfb1373c7c42405eb0f37b0f1b763886d6d7859eaae2caabc5
SSDEEP

384:E3eVES+/xwGkRKJmwQlM61qmTTMVF9/q5O0:bGS+ZfbJRQO8qYoAn

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

75031ef7283843b9efd6fb53819ffa4f.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Start GeekBuddy = "C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\spoolsv.exe"	75031ef7283843b9efd6fb53819ffa4f.exe

Drops file in Program Files directory 1 IoCs

Processes:

75031ef7283843b9efd6fb53819ffa4f.exe

description ioc process

File created C:\Program Files\Common Files\Microsoft Shared\Web Folders\1033\spoolsv.exe 75031ef7283843b9efd6fb53819ffa4f.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

1696 tasklist.exe
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exeNETSTAT.EXE

pid process

2240 ipconfig.exe
2672 NETSTAT.EXE
Runs net.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

tasklist.exeNETSTAT.EXE

description pid process

Token: SeDebugPrivilege 1696 tasklist.exe
Token: SeDebugPrivilege 2672 NETSTAT.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

75031ef7283843b9efd6fb53819ffa4f.exe

pid process

624 75031ef7283843b9efd6fb53819ffa4f.exe
624 75031ef7283843b9efd6fb53819ffa4f.exe

description	ioc	process
File created	C:\Program Files\Common Files\Microsoft Shared\Web Folders\1033\spoolsv.exe	75031ef7283843b9efd6fb53819ffa4f.exe

pid	process
1696	tasklist.exe

pid	process
2240	ipconfig.exe
2672	NETSTAT.EXE

description	pid	process
Token: SeDebugPrivilege	1696	tasklist.exe
Token: SeDebugPrivilege	2672	NETSTAT.EXE

pid	process
624	75031ef7283843b9efd6fb53819ffa4f.exe
624	75031ef7283843b9efd6fb53819ffa4f.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

75031ef7283843b9efd6fb53819ffa4f.execmd.exenet.exe

description	pid	process	target process
PID 624 wrote to memory of 2992	624	75031ef7283843b9efd6fb53819ffa4f.exe	cmd.exe
PID 624 wrote to memory of 2992	624	75031ef7283843b9efd6fb53819ffa4f.exe	cmd.exe
PID 624 wrote to memory of 2992	624	75031ef7283843b9efd6fb53819ffa4f.exe	cmd.exe
PID 624 wrote to memory of 2992	624	75031ef7283843b9efd6fb53819ffa4f.exe	cmd.exe
PID 2992 wrote to memory of 1196	2992	cmd.exe	cmd.exe
PID 2992 wrote to memory of 1196	2992	cmd.exe	cmd.exe
PID 2992 wrote to memory of 1196	2992	cmd.exe	cmd.exe
PID 2992 wrote to memory of 1196	2992	cmd.exe	cmd.exe
PID 2992 wrote to memory of 2240	2992	cmd.exe	ipconfig.exe
PID 2992 wrote to memory of 2240	2992	cmd.exe	ipconfig.exe
PID 2992 wrote to memory of 2240	2992	cmd.exe	ipconfig.exe
PID 2992 wrote to memory of 2240	2992	cmd.exe	ipconfig.exe
PID 2992 wrote to memory of 1696	2992	cmd.exe	tasklist.exe
PID 2992 wrote to memory of 1696	2992	cmd.exe	tasklist.exe
PID 2992 wrote to memory of 1696	2992	cmd.exe	tasklist.exe
PID 2992 wrote to memory of 1696	2992	cmd.exe	tasklist.exe
PID 2992 wrote to memory of 2580	2992	cmd.exe	net.exe
PID 2992 wrote to memory of 2580	2992	cmd.exe	net.exe
PID 2992 wrote to memory of 2580	2992	cmd.exe	net.exe
PID 2992 wrote to memory of 2580	2992	cmd.exe	net.exe
PID 2580 wrote to memory of 2656	2580	net.exe	net1.exe
PID 2580 wrote to memory of 2656	2580	net.exe	net1.exe
PID 2580 wrote to memory of 2656	2580	net.exe	net1.exe
PID 2580 wrote to memory of 2656	2580	net.exe	net1.exe
PID 2992 wrote to memory of 2672	2992	cmd.exe	NETSTAT.EXE
PID 2992 wrote to memory of 2672	2992	cmd.exe	NETSTAT.EXE
PID 2992 wrote to memory of 2672	2992	cmd.exe	NETSTAT.EXE
PID 2992 wrote to memory of 2672	2992	cmd.exe	NETSTAT.EXE

C:\Users\Admin\AppData\Local\Temp\75031ef7283843b9efd6fb53819ffa4f.exe
"C:\Users\Admin\AppData\Local\Temp\75031ef7283843b9efd6fb53819ffa4f.exe"
1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:624

C:\Windows\SysWOW64\cmd.exe
cmd /c ver >c:\windows\temp\flash.log & cmd /c set >>c:\windows\temp\flash.log & ipconfig /all >>c:\windows\temp\flash.log & tasklist >>c:\windows\temp\flash.log & net start>>c:\windows\temp\flash.log & netstat -an >>c:\windows\temp\flash.log
2⤵
- Suspicious use of WriteProcessMemory
PID:2992

C:\Windows\SysWOW64\cmd.exe
cmd /c set
3⤵
PID:1196

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /all
3⤵
- Gathers network information
PID:2240

C:\Windows\SysWOW64\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1696

C:\Windows\SysWOW64\net.exe
net start
3⤵
- Suspicious use of WriteProcessMemory
PID:2580

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start
4⤵
PID:2656

C:\Windows\SysWOW64\NETSTAT.EXE
netstat -an
3⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Process Discovery

1

T1057

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\temp\flash.log
Filesize
8KB

MD5
518f19a5c1277a7bb1330bdc112d88be

SHA1
b030c44cfeea32128361c894cc4c6b2348b96a0e

SHA256
a9b2447107634bbd9f2a9f43d7e812fc5ba1268f30b0e5fd32d6ac56652f76d2

SHA512
bd7eaf249f09941c517203db09b6aacb4bd6ba1da95c8198ad96c85db4d89dc0025cb1a4f05d1159a09cd7246de823f0a34ec5cb2d6f260e98bf0a3b90288ca7

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads