5f9f6420cc6fcb319f8784f75037b0961f5d509c4fe013136ff500ae284f8dab

Analysis

max time kernel
147s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
29/02/2024, 05:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

adc40d992525251e19300358fcdaa5c5.exe
Size

24KB
MD5

adc40d992525251e19300358fcdaa5c5
SHA1

b62e9e439018e5cb41d94acbae829469b514600d
SHA256

5f9f6420cc6fcb319f8784f75037b0961f5d509c4fe013136ff500ae284f8dab
SHA512

c9249c053bddc89c02b92b550afa690f9dfc2e27cdca5714c66d42b423ac7cf8f061f20f28b5a4b4dd1f0b571e215a728ce006f95e28786bf41bfd29f85f4226
SSDEEP

384:E3eVES+/xwGkRKJRlrUY3lM61qmTTMVF9/q5Q0:bGS+ZfbJbrT3O8qYoAp

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Start GeekBuddy = "C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\spoolsv.exe"	adc40d992525251e19300358fcdaa5c5.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\Web Folders\1033\spoolsv.exe	adc40d992525251e19300358fcdaa5c5.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
5068	tasklist.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4856	ipconfig.exe
2428	NETSTAT.EXE

Runs net.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5068	tasklist.exe
Token: SeDebugPrivilege	2428	NETSTAT.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
288	adc40d992525251e19300358fcdaa5c5.exe
288	adc40d992525251e19300358fcdaa5c5.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 288 wrote to memory of 4264	288	adc40d992525251e19300358fcdaa5c5.exe	86
PID 288 wrote to memory of 4264	288	adc40d992525251e19300358fcdaa5c5.exe	86
PID 288 wrote to memory of 4264	288	adc40d992525251e19300358fcdaa5c5.exe	86
PID 4264 wrote to memory of 3164	4264	cmd.exe	89
PID 4264 wrote to memory of 3164	4264	cmd.exe	89
PID 4264 wrote to memory of 3164	4264	cmd.exe	89
PID 4264 wrote to memory of 4856	4264	cmd.exe	90
PID 4264 wrote to memory of 4856	4264	cmd.exe	90
PID 4264 wrote to memory of 4856	4264	cmd.exe	90
PID 4264 wrote to memory of 5068	4264	cmd.exe	91
PID 4264 wrote to memory of 5068	4264	cmd.exe	91
PID 4264 wrote to memory of 5068	4264	cmd.exe	91
PID 4264 wrote to memory of 256	4264	cmd.exe	95
PID 4264 wrote to memory of 256	4264	cmd.exe	95
PID 4264 wrote to memory of 256	4264	cmd.exe	95
PID 256 wrote to memory of 2892	256	net.exe	96
PID 256 wrote to memory of 2892	256	net.exe	96
PID 256 wrote to memory of 2892	256	net.exe	96
PID 4264 wrote to memory of 2428	4264	cmd.exe	97
PID 4264 wrote to memory of 2428	4264	cmd.exe	97
PID 4264 wrote to memory of 2428	4264	cmd.exe	97

C:\Users\Admin\AppData\Local\Temp\adc40d992525251e19300358fcdaa5c5.exe
"C:\Users\Admin\AppData\Local\Temp\adc40d992525251e19300358fcdaa5c5.exe"
1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:288
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ver >c:\windows\temp\flash.log & cmd /c set >>c:\windows\temp\flash.log & ipconfig /all >>c:\windows\temp\flash.log & tasklist >>c:\windows\temp\flash.log & net start>>c:\windows\temp\flash.log & netstat -an >>c:\windows\temp\flash.log
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4264
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c set
    3⤵
    PID:3164
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /all
    3⤵
    - Gathers network information
    PID:4856
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:5068
- - C:\Windows\SysWOW64\net.exe
    net start
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:256
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start
      4⤵
      PID:2892
- - C:\Windows\SysWOW64\NETSTAT.EXE
    netstat -an
    3⤵
    - Gathers network information
    - Suspicious use of AdjustPrivilegeToken
    PID:2428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\temp\flash.log

Filesize
14KB

MD5
de9988d4b1841bbe265ca0361fcade01

SHA1
7b66e5a94c799fd94f9cb701a8bbb826deb21164

SHA256
26b34841ceb57a0006dc3f4277b78e4beb59b215862656578a01477394e20848

SHA512
555b8ec093d27ae1785abf5277fe21042c553c103fc27df1166291e9cfb81168c7cbf7d4ef313e7bc1a14741cf929603a67acaba456ba3dfe3d9e622991112b4

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads