03bb2b6ecfac544566dc9479d5617ed208432287b2129ac7b713799f6a1b9cb7

Analysis

max time kernel
122s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
12/02/2024, 15:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

977d16bfab3fcbb4bbbfe98bca7182c2.exe
Size

24KB
MD5

977d16bfab3fcbb4bbbfe98bca7182c2
SHA1

efe9238100a5a6c9d28acf93d1cb2592f92a7f62
SHA256

03bb2b6ecfac544566dc9479d5617ed208432287b2129ac7b713799f6a1b9cb7
SHA512

fbae7ae4e284365226efe36c8bc4c75f3b98bc24305e0018e4432a31f3a06f6f3c0d4bf1ceca2fcd41911d1277e53b508b94a3d9e3e3dbfeff7da650f94a909d
SSDEEP

384:E3eVES+/xwGkRKJg9ZlM61qmTTMVF9/q5H0:bGS+ZfbJMZO8qYoAU

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Start GeekBuddy = "C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\spoolsv.exe"	977d16bfab3fcbb4bbbfe98bca7182c2.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\Web Folders\1033\spoolsv.exe	977d16bfab3fcbb4bbbfe98bca7182c2.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
2832	tasklist.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
3052	ipconfig.exe
2884	NETSTAT.EXE

Runs net.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2832	tasklist.exe
Token: SeDebugPrivilege	2884	NETSTAT.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2808	977d16bfab3fcbb4bbbfe98bca7182c2.exe
2808	977d16bfab3fcbb4bbbfe98bca7182c2.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2808 wrote to memory of 2896	2808	977d16bfab3fcbb4bbbfe98bca7182c2.exe	28
PID 2808 wrote to memory of 2896	2808	977d16bfab3fcbb4bbbfe98bca7182c2.exe	28
PID 2808 wrote to memory of 2896	2808	977d16bfab3fcbb4bbbfe98bca7182c2.exe	28
PID 2808 wrote to memory of 2896	2808	977d16bfab3fcbb4bbbfe98bca7182c2.exe	28
PID 2896 wrote to memory of 2656	2896	cmd.exe	30
PID 2896 wrote to memory of 2656	2896	cmd.exe	30
PID 2896 wrote to memory of 2656	2896	cmd.exe	30
PID 2896 wrote to memory of 2656	2896	cmd.exe	30
PID 2896 wrote to memory of 3052	2896	cmd.exe	31
PID 2896 wrote to memory of 3052	2896	cmd.exe	31
PID 2896 wrote to memory of 3052	2896	cmd.exe	31
PID 2896 wrote to memory of 3052	2896	cmd.exe	31
PID 2896 wrote to memory of 2832	2896	cmd.exe	32
PID 2896 wrote to memory of 2832	2896	cmd.exe	32
PID 2896 wrote to memory of 2832	2896	cmd.exe	32
PID 2896 wrote to memory of 2832	2896	cmd.exe	32
PID 2896 wrote to memory of 2848	2896	cmd.exe	34
PID 2896 wrote to memory of 2848	2896	cmd.exe	34
PID 2896 wrote to memory of 2848	2896	cmd.exe	34
PID 2896 wrote to memory of 2848	2896	cmd.exe	34
PID 2848 wrote to memory of 2776	2848	net.exe	35
PID 2848 wrote to memory of 2776	2848	net.exe	35
PID 2848 wrote to memory of 2776	2848	net.exe	35
PID 2848 wrote to memory of 2776	2848	net.exe	35
PID 2896 wrote to memory of 2884	2896	cmd.exe	36
PID 2896 wrote to memory of 2884	2896	cmd.exe	36
PID 2896 wrote to memory of 2884	2896	cmd.exe	36
PID 2896 wrote to memory of 2884	2896	cmd.exe	36

C:\Users\Admin\AppData\Local\Temp\977d16bfab3fcbb4bbbfe98bca7182c2.exe
"C:\Users\Admin\AppData\Local\Temp\977d16bfab3fcbb4bbbfe98bca7182c2.exe"
1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ver >c:\windows\temp\flash.log & cmd /c set >>c:\windows\temp\flash.log & ipconfig /all >>c:\windows\temp\flash.log & tasklist >>c:\windows\temp\flash.log & net start>>c:\windows\temp\flash.log & netstat -an >>c:\windows\temp\flash.log
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c set
    3⤵
    PID:2656
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /all
    3⤵
    - Gathers network information
    PID:3052
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2832
- - C:\Windows\SysWOW64\net.exe
    net start
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2848
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start
      4⤵
      PID:2776
- - C:\Windows\SysWOW64\NETSTAT.EXE
    netstat -an
    3⤵
    - Gathers network information
    - Suspicious use of AdjustPrivilegeToken
    PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\temp\flash.log

Filesize
8KB

MD5
83cc76e35d0a0d1c22142293f1f088b4

SHA1
a720027f4c7059428135307f402d19f21443287a

SHA256
60f63ec18fce6b27585ec65a6fcc588ddcd7a2996bf687e4bf36ed01abda7c08

SHA512
bc7edb460688223066d2c2f6999acfa2cdd3c6177712ea790aa6c2d86978be20e4dcf870419733c7ad54d1d2d88830de0363a617ec63f7ce7b134a3a7531e5c4

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads