Analysis
-
max time kernel
119s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25-01-2024 17:13
Static task
static1
Behavioral task
behavioral1
Sample
7510093eca41736c67f262e9333a52ae.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
7510093eca41736c67f262e9333a52ae.exe
Resource
win10v2004-20231222-en
General
-
Target
7510093eca41736c67f262e9333a52ae.exe
-
Size
24KB
-
MD5
7510093eca41736c67f262e9333a52ae
-
SHA1
7132548963b5734a4e7abfc48cb24f31e60252af
-
SHA256
7ca4684721edb6edbc211720c8cb85a9b247f91f8af5ad9a099bd15a3881cf7e
-
SHA512
e1d4f1859c2e7c5d86ff4a64a2023acbe1c8eb7ae9d18aed5130effe3e799eefdf2f1659e453cb5af163728f0623d486a81516c2b5b9fa161ae03932f205de9e
-
SSDEEP
384:E3eVES+/xwGkRKJVOlM61qmTTMVF9/q5n0:bGS+ZfbJIO8qYoA0
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
7510093eca41736c67f262e9333a52ae.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Start GeekBuddy = "C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\spoolsv.exe" 7510093eca41736c67f262e9333a52ae.exe -
Drops file in Program Files directory 1 IoCs
Processes:
7510093eca41736c67f262e9333a52ae.exedescription ioc process File created C:\Program Files\Common Files\Microsoft Shared\Web Folders\1033\spoolsv.exe 7510093eca41736c67f262e9333a52ae.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
Processes:
NETSTAT.EXEipconfig.exepid process 2824 NETSTAT.EXE 2232 ipconfig.exe -
Runs net.exe
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
tasklist.exeNETSTAT.EXEdescription pid process Token: SeDebugPrivilege 2740 tasklist.exe Token: SeDebugPrivilege 2824 NETSTAT.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
7510093eca41736c67f262e9333a52ae.exepid process 2476 7510093eca41736c67f262e9333a52ae.exe 2476 7510093eca41736c67f262e9333a52ae.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
7510093eca41736c67f262e9333a52ae.execmd.exenet.exedescription pid process target process PID 2476 wrote to memory of 2968 2476 7510093eca41736c67f262e9333a52ae.exe cmd.exe PID 2476 wrote to memory of 2968 2476 7510093eca41736c67f262e9333a52ae.exe cmd.exe PID 2476 wrote to memory of 2968 2476 7510093eca41736c67f262e9333a52ae.exe cmd.exe PID 2476 wrote to memory of 2968 2476 7510093eca41736c67f262e9333a52ae.exe cmd.exe PID 2968 wrote to memory of 2360 2968 cmd.exe cmd.exe PID 2968 wrote to memory of 2360 2968 cmd.exe cmd.exe PID 2968 wrote to memory of 2360 2968 cmd.exe cmd.exe PID 2968 wrote to memory of 2360 2968 cmd.exe cmd.exe PID 2968 wrote to memory of 2232 2968 cmd.exe ipconfig.exe PID 2968 wrote to memory of 2232 2968 cmd.exe ipconfig.exe PID 2968 wrote to memory of 2232 2968 cmd.exe ipconfig.exe PID 2968 wrote to memory of 2232 2968 cmd.exe ipconfig.exe PID 2968 wrote to memory of 2740 2968 cmd.exe tasklist.exe PID 2968 wrote to memory of 2740 2968 cmd.exe tasklist.exe PID 2968 wrote to memory of 2740 2968 cmd.exe tasklist.exe PID 2968 wrote to memory of 2740 2968 cmd.exe tasklist.exe PID 2968 wrote to memory of 2668 2968 cmd.exe net.exe PID 2968 wrote to memory of 2668 2968 cmd.exe net.exe PID 2968 wrote to memory of 2668 2968 cmd.exe net.exe PID 2968 wrote to memory of 2668 2968 cmd.exe net.exe PID 2668 wrote to memory of 1220 2668 net.exe net1.exe PID 2668 wrote to memory of 1220 2668 net.exe net1.exe PID 2668 wrote to memory of 1220 2668 net.exe net1.exe PID 2668 wrote to memory of 1220 2668 net.exe net1.exe PID 2968 wrote to memory of 2824 2968 cmd.exe NETSTAT.EXE PID 2968 wrote to memory of 2824 2968 cmd.exe NETSTAT.EXE PID 2968 wrote to memory of 2824 2968 cmd.exe NETSTAT.EXE PID 2968 wrote to memory of 2824 2968 cmd.exe NETSTAT.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\7510093eca41736c67f262e9333a52ae.exe"C:\Users\Admin\AppData\Local\Temp\7510093eca41736c67f262e9333a52ae.exe"1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\cmd.execmd /c ver >c:\windows\temp\flash.log & cmd /c set >>c:\windows\temp\flash.log & ipconfig /all >>c:\windows\temp\flash.log & tasklist >>c:\windows\temp\flash.log & net start>>c:\windows\temp\flash.log & netstat -an >>c:\windows\temp\flash.log2⤵
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\cmd.execmd /c set3⤵PID:2360
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all3⤵
- Gathers network information
PID:2232 -
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2740 -
C:\Windows\SysWOW64\net.exenet start3⤵
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start4⤵PID:1220
-
C:\Windows\SysWOW64\NETSTAT.EXEnetstat -an3⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:2824
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
\??\c:\windows\temp\flash.logFilesize
8KB
MD51e3d01147e8e7330fd04907a41901328
SHA124c56ad4afc47469ccb48ebc59c5b1f7b43d3f50
SHA256bd30f6bca6e759aea9b68231c555a44405f9cb885edcbdf1786e85c4a54de43d
SHA51225d8a8bd6696c061cda43757d93f5a58c75d71c6588b8e846ff9288d7092ea557afb7d85e20bd21f20a2160ee16a5cd4072ae8fed5cab273f68030b6dc89fb5b