0f8a1c7d91ca79767a4e68dc1897873f38e658fe035c4dccb5dae277ae55d8d4

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
12/03/2024, 05:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c2922e5a7c5fad130ad86ef1725cfb14.exe
Size

24KB
MD5

c2922e5a7c5fad130ad86ef1725cfb14
SHA1

1ca0fd2f66c000cbad4332c0cb5c49c2b6704974
SHA256

0f8a1c7d91ca79767a4e68dc1897873f38e658fe035c4dccb5dae277ae55d8d4
SHA512

358ccda1937f4e0365827221e49641b4ea20c5ad40e2b20efdd64530cdb1240ea1d19f18cad850b1bae0e2e4e7aca2243dcade43c571c4813f033111c59410fd
SSDEEP

384:E3eVES+/xwGkRKJzJxTlM61qmTTMVF9/q5j0:bGS+ZfbJrO8qYoAI

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Start GeekBuddy = "C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\spoolsv.exe"	c2922e5a7c5fad130ad86ef1725cfb14.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\Web Folders\1033\spoolsv.exe	c2922e5a7c5fad130ad86ef1725cfb14.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
4420	tasklist.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
3552	ipconfig.exe
3696	NETSTAT.EXE

Runs net.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4420	tasklist.exe
Token: SeDebugPrivilege	3696	NETSTAT.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4332	c2922e5a7c5fad130ad86ef1725cfb14.exe
4332	c2922e5a7c5fad130ad86ef1725cfb14.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 4332 wrote to memory of 1756	4332	c2922e5a7c5fad130ad86ef1725cfb14.exe	98
PID 4332 wrote to memory of 1756	4332	c2922e5a7c5fad130ad86ef1725cfb14.exe	98
PID 4332 wrote to memory of 1756	4332	c2922e5a7c5fad130ad86ef1725cfb14.exe	98
PID 1756 wrote to memory of 1028	1756	cmd.exe	100
PID 1756 wrote to memory of 1028	1756	cmd.exe	100
PID 1756 wrote to memory of 1028	1756	cmd.exe	100
PID 1756 wrote to memory of 3552	1756	cmd.exe	102
PID 1756 wrote to memory of 3552	1756	cmd.exe	102
PID 1756 wrote to memory of 3552	1756	cmd.exe	102
PID 1756 wrote to memory of 4420	1756	cmd.exe	103
PID 1756 wrote to memory of 4420	1756	cmd.exe	103
PID 1756 wrote to memory of 4420	1756	cmd.exe	103
PID 1756 wrote to memory of 440	1756	cmd.exe	106
PID 1756 wrote to memory of 440	1756	cmd.exe	106
PID 1756 wrote to memory of 440	1756	cmd.exe	106
PID 440 wrote to memory of 3116	440	net.exe	107
PID 440 wrote to memory of 3116	440	net.exe	107
PID 440 wrote to memory of 3116	440	net.exe	107
PID 1756 wrote to memory of 3696	1756	cmd.exe	109
PID 1756 wrote to memory of 3696	1756	cmd.exe	109
PID 1756 wrote to memory of 3696	1756	cmd.exe	109

C:\Users\Admin\AppData\Local\Temp\c2922e5a7c5fad130ad86ef1725cfb14.exe
"C:\Users\Admin\AppData\Local\Temp\c2922e5a7c5fad130ad86ef1725cfb14.exe"
1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4332
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ver >c:\windows\temp\flash.log & cmd /c set >>c:\windows\temp\flash.log & ipconfig /all >>c:\windows\temp\flash.log & tasklist >>c:\windows\temp\flash.log & net start>>c:\windows\temp\flash.log & netstat -an >>c:\windows\temp\flash.log
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1756
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c set
    3⤵
    PID:1028
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /all
    3⤵
    - Gathers network information
    PID:3552
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4420
- - C:\Windows\SysWOW64\net.exe
    net start
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:440
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start
      4⤵
      PID:3116
- - C:\Windows\SysWOW64\NETSTAT.EXE
    netstat -an
    3⤵
    - Gathers network information
    - Suspicious use of AdjustPrivilegeToken
    PID:3696

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3932 --field-trial-handle=2304,i,6987730730348465820,3913273227385401271,262144 --variations-seed-version /prefetch:8
1⤵
PID:3440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\temp\flash.log

Filesize
15KB

MD5
5b548ddc7829283d003f584f8e3e34b6

SHA1
93fda5e8e85b35e21b863d5ccf46dfe8514d6f54

SHA256
38f212fd600a1e4d1cf72c5af8270c7c864fcec71e32db58fe3782fbb30f7d90

SHA512
a316ad0cde02d97b8e4b7177a04bfd76ac468030ae828f29cef52acb61de57aeeee369eab7751db6ffe3c8996097c5522e2ea50b31c740b8fefd072876e7f691

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads