f1c1f2cbbdd93309b94119370a1c73adbc46ccb06bd74877a8be7b44f10701a1

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
15/03/2024, 14:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cba63be0848ed74e81d70f8ee5778e53.exe
Size

24KB
MD5

cba63be0848ed74e81d70f8ee5778e53
SHA1

eaab1d3e377acb49db818253b4f52fa23e0df9b3
SHA256

f1c1f2cbbdd93309b94119370a1c73adbc46ccb06bd74877a8be7b44f10701a1
SHA512

f22eaa36f42227a5b934c03b4e3dcf9ab0e613cc2102e69974f33ae5a32cf9862811c04e79170e7c4bd72c49627b94fd9c294455a2455934586c383e1af59149
SSDEEP

384:E3eVES+/xwGkRKJd14lM61qmTTMVF9/q5h0:bGS+ZfbJj4O8qYoA+

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Start GeekBuddy = "C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\spoolsv.exe"	cba63be0848ed74e81d70f8ee5778e53.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\Web Folders\1033\spoolsv.exe	cba63be0848ed74e81d70f8ee5778e53.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
2896	tasklist.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
860	ipconfig.exe
3676	NETSTAT.EXE

Runs net.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2896	tasklist.exe
Token: SeDebugPrivilege	3676	NETSTAT.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3904	cba63be0848ed74e81d70f8ee5778e53.exe
3904	cba63be0848ed74e81d70f8ee5778e53.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 3904 wrote to memory of 3516	3904	cba63be0848ed74e81d70f8ee5778e53.exe	88
PID 3904 wrote to memory of 3516	3904	cba63be0848ed74e81d70f8ee5778e53.exe	88
PID 3904 wrote to memory of 3516	3904	cba63be0848ed74e81d70f8ee5778e53.exe	88
PID 3516 wrote to memory of 3364	3516	cmd.exe	90
PID 3516 wrote to memory of 3364	3516	cmd.exe	90
PID 3516 wrote to memory of 3364	3516	cmd.exe	90
PID 3516 wrote to memory of 860	3516	cmd.exe	91
PID 3516 wrote to memory of 860	3516	cmd.exe	91
PID 3516 wrote to memory of 860	3516	cmd.exe	91
PID 3516 wrote to memory of 2896	3516	cmd.exe	92
PID 3516 wrote to memory of 2896	3516	cmd.exe	92
PID 3516 wrote to memory of 2896	3516	cmd.exe	92
PID 3516 wrote to memory of 4624	3516	cmd.exe	94
PID 3516 wrote to memory of 4624	3516	cmd.exe	94
PID 3516 wrote to memory of 4624	3516	cmd.exe	94
PID 4624 wrote to memory of 1872	4624	net.exe	95
PID 4624 wrote to memory of 1872	4624	net.exe	95
PID 4624 wrote to memory of 1872	4624	net.exe	95
PID 3516 wrote to memory of 3676	3516	cmd.exe	96
PID 3516 wrote to memory of 3676	3516	cmd.exe	96
PID 3516 wrote to memory of 3676	3516	cmd.exe	96

C:\Users\Admin\AppData\Local\Temp\cba63be0848ed74e81d70f8ee5778e53.exe
"C:\Users\Admin\AppData\Local\Temp\cba63be0848ed74e81d70f8ee5778e53.exe"
1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3904
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ver >c:\windows\temp\flash.log & cmd /c set >>c:\windows\temp\flash.log & ipconfig /all >>c:\windows\temp\flash.log & tasklist >>c:\windows\temp\flash.log & net start>>c:\windows\temp\flash.log & netstat -an >>c:\windows\temp\flash.log
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3516
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c set
    3⤵
    PID:3364
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /all
    3⤵
    - Gathers network information
    PID:860
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2896
- - C:\Windows\SysWOW64\net.exe
    net start
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4624
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start
      4⤵
      PID:1872
- - C:\Windows\SysWOW64\NETSTAT.EXE
    netstat -an
    3⤵
    - Gathers network information
    - Suspicious use of AdjustPrivilegeToken
    PID:3676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\temp\flash.log

Filesize
15KB

MD5
1a4ee85899a7f97154739356c81788e8

SHA1
bdbdeda223425ec68c0469525c8baed5809d6ce7

SHA256
84de054accb103c3090bed79d0184b27e9cf1c682e6a0c66ded93cd2d8f3b575

SHA512
91f657e22932d2818148223bddf4cbadd08044380837a7e43bc6bac0487ddfcec8bff6a869b0b7c32ec3aefe5d37de2b00c62887de04cb1d93446db15b39730e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads