fee0e9fa6f78e35297192360ef5f17de001d349e211aae060d87627ffb09e76e

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
12-02-2024 13:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

973e5f9acde81160ada149b065cf1aae.exe
Size

24KB
MD5

973e5f9acde81160ada149b065cf1aae
SHA1

c72bb9e147cd47415cc535c95fa7e1b2055fc3ea
SHA256

fee0e9fa6f78e35297192360ef5f17de001d349e211aae060d87627ffb09e76e
SHA512

4b3ff62c69422587d483ba290ab35c7df041812e22aec62b0538c15bf2ce1c9fd54e9ce21699a24f21081dda218d8477620eac612e45a7166007d78cc1ecbfad
SSDEEP

384:E3eVES+/xwGkRKJVvsafdlM61qmTTMVF9/q530:bGS+ZfbJVvhfdO8qYoAk

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Start GeekBuddy = "C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\spoolsv.exe"	973e5f9acde81160ada149b065cf1aae.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\Web Folders\1033\spoolsv.exe	973e5f9acde81160ada149b065cf1aae.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
2700	tasklist.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2284	ipconfig.exe
2388	NETSTAT.EXE

Runs net.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2700	tasklist.exe
Token: SeDebugPrivilege	2388	NETSTAT.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1936	973e5f9acde81160ada149b065cf1aae.exe
1936	973e5f9acde81160ada149b065cf1aae.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1936 wrote to memory of 2000	1936	973e5f9acde81160ada149b065cf1aae.exe	22
PID 1936 wrote to memory of 2000	1936	973e5f9acde81160ada149b065cf1aae.exe	22
PID 1936 wrote to memory of 2000	1936	973e5f9acde81160ada149b065cf1aae.exe	22
PID 1936 wrote to memory of 2000	1936	973e5f9acde81160ada149b065cf1aae.exe	22
PID 2000 wrote to memory of 2296	2000	cmd.exe	26
PID 2000 wrote to memory of 2296	2000	cmd.exe	26
PID 2000 wrote to memory of 2296	2000	cmd.exe	26
PID 2000 wrote to memory of 2296	2000	cmd.exe	26
PID 2000 wrote to memory of 2284	2000	cmd.exe	24
PID 2000 wrote to memory of 2284	2000	cmd.exe	24
PID 2000 wrote to memory of 2284	2000	cmd.exe	24
PID 2000 wrote to memory of 2284	2000	cmd.exe	24
PID 2000 wrote to memory of 2700	2000	cmd.exe	25
PID 2000 wrote to memory of 2700	2000	cmd.exe	25
PID 2000 wrote to memory of 2700	2000	cmd.exe	25
PID 2000 wrote to memory of 2700	2000	cmd.exe	25
PID 2000 wrote to memory of 2092	2000	cmd.exe	35
PID 2000 wrote to memory of 2092	2000	cmd.exe	35
PID 2000 wrote to memory of 2092	2000	cmd.exe	35
PID 2000 wrote to memory of 2092	2000	cmd.exe	35
PID 2092 wrote to memory of 2668	2092	net.exe	34
PID 2092 wrote to memory of 2668	2092	net.exe	34
PID 2092 wrote to memory of 2668	2092	net.exe	34
PID 2092 wrote to memory of 2668	2092	net.exe	34
PID 2000 wrote to memory of 2388	2000	cmd.exe	36
PID 2000 wrote to memory of 2388	2000	cmd.exe	36
PID 2000 wrote to memory of 2388	2000	cmd.exe	36
PID 2000 wrote to memory of 2388	2000	cmd.exe	36

C:\Users\Admin\AppData\Local\Temp\973e5f9acde81160ada149b065cf1aae.exe
"C:\Users\Admin\AppData\Local\Temp\973e5f9acde81160ada149b065cf1aae.exe"
1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1936
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ver >c:\windows\temp\flash.log & cmd /c set >>c:\windows\temp\flash.log & ipconfig /all >>c:\windows\temp\flash.log & tasklist >>c:\windows\temp\flash.log & net start>>c:\windows\temp\flash.log & netstat -an >>c:\windows\temp\flash.log
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2000
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /all
    3⤵
    - Gathers network information
    PID:2284
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2700
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c set
    3⤵
    PID:2296
- - C:\Windows\SysWOW64\net.exe
    net start
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2092
- - C:\Windows\SysWOW64\NETSTAT.EXE
    netstat -an
    3⤵
    - Gathers network information
    - Suspicious use of AdjustPrivilegeToken
    PID:2388

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start
1⤵
PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\temp\flash.log

Filesize
8KB

MD5
da813dfa31a6b9af9e262b73b334650e

SHA1
962857d95b3b2e5e557d1ff3a94956a0f6c3a7cc

SHA256
6a101496e6ff6194b7ae8f1d8bdb06a17843a7cb9bae0bbb785b3ab486608d4d

SHA512
f7d221438a0d660d4591042a9179093a9435bd1988cbf30315338ad0cd5735002e8140b3caf63855023de9aa1fc1be8df413b68da18a923c27f7c8332f9dd5cc

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads