Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
24-11-2020 02:38
Static task
static1
Behavioral task
behavioral1
Sample
24f828742baaedb176d3dba0bdf3d06682c174a9b46b35bf5d145ee57f2aa643.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
24f828742baaedb176d3dba0bdf3d06682c174a9b46b35bf5d145ee57f2aa643.exe
-
Size
1.0MB
-
MD5
54913eba4af75459add05894f27669ed
-
SHA1
076e4a9a326d253d4fbf9e426b54f6f08cd04aad
-
SHA256
24f828742baaedb176d3dba0bdf3d06682c174a9b46b35bf5d145ee57f2aa643
-
SHA512
a6d19f375aa098a07a35c65184bcb5dd4d50a28590021747086bcb756e380023cdf95926fc459fb9d1d6cd1a2a844035555e89dbf04bdb80beedb344a5da8a7d
Malware Config
Signatures
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
24f828742baaedb176d3dba0bdf3d06682c174a9b46b35bf5d145ee57f2aa643.exe24f828742baaedb176d3dba0bdf3d06682c174a9b46b35bf5d145ee57f2aa643.exepid process 932 24f828742baaedb176d3dba0bdf3d06682c174a9b46b35bf5d145ee57f2aa643.exe 1228 24f828742baaedb176d3dba0bdf3d06682c174a9b46b35bf5d145ee57f2aa643.exe 1228 24f828742baaedb176d3dba0bdf3d06682c174a9b46b35bf5d145ee57f2aa643.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
24f828742baaedb176d3dba0bdf3d06682c174a9b46b35bf5d145ee57f2aa643.execmd.exedescription pid process target process PID 932 wrote to memory of 1228 932 24f828742baaedb176d3dba0bdf3d06682c174a9b46b35bf5d145ee57f2aa643.exe 24f828742baaedb176d3dba0bdf3d06682c174a9b46b35bf5d145ee57f2aa643.exe PID 932 wrote to memory of 1228 932 24f828742baaedb176d3dba0bdf3d06682c174a9b46b35bf5d145ee57f2aa643.exe 24f828742baaedb176d3dba0bdf3d06682c174a9b46b35bf5d145ee57f2aa643.exe PID 932 wrote to memory of 1228 932 24f828742baaedb176d3dba0bdf3d06682c174a9b46b35bf5d145ee57f2aa643.exe 24f828742baaedb176d3dba0bdf3d06682c174a9b46b35bf5d145ee57f2aa643.exe PID 932 wrote to memory of 1228 932 24f828742baaedb176d3dba0bdf3d06682c174a9b46b35bf5d145ee57f2aa643.exe 24f828742baaedb176d3dba0bdf3d06682c174a9b46b35bf5d145ee57f2aa643.exe PID 932 wrote to memory of 1376 932 24f828742baaedb176d3dba0bdf3d06682c174a9b46b35bf5d145ee57f2aa643.exe cmd.exe PID 932 wrote to memory of 1376 932 24f828742baaedb176d3dba0bdf3d06682c174a9b46b35bf5d145ee57f2aa643.exe cmd.exe PID 932 wrote to memory of 1376 932 24f828742baaedb176d3dba0bdf3d06682c174a9b46b35bf5d145ee57f2aa643.exe cmd.exe PID 932 wrote to memory of 1376 932 24f828742baaedb176d3dba0bdf3d06682c174a9b46b35bf5d145ee57f2aa643.exe cmd.exe PID 1376 wrote to memory of 1348 1376 cmd.exe PING.EXE PID 1376 wrote to memory of 1348 1376 cmd.exe PING.EXE PID 1376 wrote to memory of 1348 1376 cmd.exe PING.EXE PID 1376 wrote to memory of 1348 1376 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\24f828742baaedb176d3dba0bdf3d06682c174a9b46b35bf5d145ee57f2aa643.exe"C:\Users\Admin\AppData\Local\Temp\24f828742baaedb176d3dba0bdf3d06682c174a9b46b35bf5d145ee57f2aa643.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\24f828742baaedb176d3dba0bdf3d06682c174a9b46b35bf5d145ee57f2aa643.exeC:\Users\Admin\AppData\Local\Temp\24f828742baaedb176d3dba0bdf3d06682c174a9b46b35bf5d145ee57f2aa643.exe /C2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\24f828742baaedb176d3dba0bdf3d06682c174a9b46b35bf5d145ee57f2aa643.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping.exe -n 6 127.0.0.13⤵
- Runs ping.exe