7ca4684721edb6edbc211720c8cb85a9b247f91f8af5ad9a099bd15a3881cf7e

General

Target

7510093eca41736c67f262e9333a52ae.exe
Size

24KB
MD5

7510093eca41736c67f262e9333a52ae
SHA1

7132548963b5734a4e7abfc48cb24f31e60252af
SHA256

7ca4684721edb6edbc211720c8cb85a9b247f91f8af5ad9a099bd15a3881cf7e
SHA512

e1d4f1859c2e7c5d86ff4a64a2023acbe1c8eb7ae9d18aed5130effe3e799eefdf2f1659e453cb5af163728f0623d486a81516c2b5b9fa161ae03932f205de9e
SSDEEP

384:E3eVES+/xwGkRKJVOlM61qmTTMVF9/q5n0:bGS+ZfbJIO8qYoA0

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

7510093eca41736c67f262e9333a52ae.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Start GeekBuddy = "C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\spoolsv.exe"	7510093eca41736c67f262e9333a52ae.exe

Drops file in Program Files directory 1 IoCs

Processes:

7510093eca41736c67f262e9333a52ae.exe

description ioc process

File created C:\Program Files\Common Files\Microsoft Shared\Web Folders\1033\spoolsv.exe 7510093eca41736c67f262e9333a52ae.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

2740 tasklist.exe
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

NETSTAT.EXEipconfig.exe

pid process

2824 NETSTAT.EXE
2232 ipconfig.exe
Runs net.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

tasklist.exeNETSTAT.EXE

description pid process

Token: SeDebugPrivilege 2740 tasklist.exe
Token: SeDebugPrivilege 2824 NETSTAT.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

7510093eca41736c67f262e9333a52ae.exe

pid process

2476 7510093eca41736c67f262e9333a52ae.exe
2476 7510093eca41736c67f262e9333a52ae.exe

description	ioc	process
File created	C:\Program Files\Common Files\Microsoft Shared\Web Folders\1033\spoolsv.exe	7510093eca41736c67f262e9333a52ae.exe

pid	process
2740	tasklist.exe

pid	process
2824	NETSTAT.EXE
2232	ipconfig.exe

description	pid	process
Token: SeDebugPrivilege	2740	tasklist.exe
Token: SeDebugPrivilege	2824	NETSTAT.EXE

pid	process
2476	7510093eca41736c67f262e9333a52ae.exe
2476	7510093eca41736c67f262e9333a52ae.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

7510093eca41736c67f262e9333a52ae.execmd.exenet.exe

description	pid	process	target process
PID 2476 wrote to memory of 2968	2476	7510093eca41736c67f262e9333a52ae.exe	cmd.exe
PID 2476 wrote to memory of 2968	2476	7510093eca41736c67f262e9333a52ae.exe	cmd.exe
PID 2476 wrote to memory of 2968	2476	7510093eca41736c67f262e9333a52ae.exe	cmd.exe
PID 2476 wrote to memory of 2968	2476	7510093eca41736c67f262e9333a52ae.exe	cmd.exe
PID 2968 wrote to memory of 2360	2968	cmd.exe	cmd.exe
PID 2968 wrote to memory of 2360	2968	cmd.exe	cmd.exe
PID 2968 wrote to memory of 2360	2968	cmd.exe	cmd.exe
PID 2968 wrote to memory of 2360	2968	cmd.exe	cmd.exe
PID 2968 wrote to memory of 2232	2968	cmd.exe	ipconfig.exe
PID 2968 wrote to memory of 2232	2968	cmd.exe	ipconfig.exe
PID 2968 wrote to memory of 2232	2968	cmd.exe	ipconfig.exe
PID 2968 wrote to memory of 2232	2968	cmd.exe	ipconfig.exe
PID 2968 wrote to memory of 2740	2968	cmd.exe	tasklist.exe
PID 2968 wrote to memory of 2740	2968	cmd.exe	tasklist.exe
PID 2968 wrote to memory of 2740	2968	cmd.exe	tasklist.exe
PID 2968 wrote to memory of 2740	2968	cmd.exe	tasklist.exe
PID 2968 wrote to memory of 2668	2968	cmd.exe	net.exe
PID 2968 wrote to memory of 2668	2968	cmd.exe	net.exe
PID 2968 wrote to memory of 2668	2968	cmd.exe	net.exe
PID 2968 wrote to memory of 2668	2968	cmd.exe	net.exe
PID 2668 wrote to memory of 1220	2668	net.exe	net1.exe
PID 2668 wrote to memory of 1220	2668	net.exe	net1.exe
PID 2668 wrote to memory of 1220	2668	net.exe	net1.exe
PID 2668 wrote to memory of 1220	2668	net.exe	net1.exe
PID 2968 wrote to memory of 2824	2968	cmd.exe	NETSTAT.EXE
PID 2968 wrote to memory of 2824	2968	cmd.exe	NETSTAT.EXE
PID 2968 wrote to memory of 2824	2968	cmd.exe	NETSTAT.EXE
PID 2968 wrote to memory of 2824	2968	cmd.exe	NETSTAT.EXE

C:\Users\Admin\AppData\Local\Temp\7510093eca41736c67f262e9333a52ae.exe
"C:\Users\Admin\AppData\Local\Temp\7510093eca41736c67f262e9333a52ae.exe"
1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2476

C:\Windows\SysWOW64\cmd.exe
cmd /c ver >c:\windows\temp\flash.log & cmd /c set >>c:\windows\temp\flash.log & ipconfig /all >>c:\windows\temp\flash.log & tasklist >>c:\windows\temp\flash.log & net start>>c:\windows\temp\flash.log & netstat -an >>c:\windows\temp\flash.log
2⤵
- Suspicious use of WriteProcessMemory
PID:2968

C:\Windows\SysWOW64\cmd.exe
cmd /c set
3⤵
PID:2360

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /all
3⤵
- Gathers network information
PID:2232

C:\Windows\SysWOW64\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2740

C:\Windows\SysWOW64\net.exe
net start
3⤵
- Suspicious use of WriteProcessMemory
PID:2668

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start
4⤵
PID:1220

C:\Windows\SysWOW64\NETSTAT.EXE
netstat -an
3⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Process Discovery

1

T1057

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\temp\flash.log
Filesize
8KB

MD5
1e3d01147e8e7330fd04907a41901328

SHA1
24c56ad4afc47469ccb48ebc59c5b1f7b43d3f50

SHA256
bd30f6bca6e759aea9b68231c555a44405f9cb885edcbdf1786e85c4a54de43d

SHA512
25d8a8bd6696c061cda43757d93f5a58c75d71c6588b8e846ff9288d7092ea557afb7d85e20bd21f20a2160ee16a5cd4072ae8fed5cab273f68030b6dc89fb5b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads