ea1872b2835128e3cb49a0bc27e4727ca33c4e6eba1e80422db19b505f965bc4

Resubmissions

30-06-2021 16:31

210630-v7kg8l625j 10

28-06-2021 22:28

210628-nmx97k3rnn 10

Analysis

max time kernel
19270s
max time network
189s
platform
linux_amd64
resource
ubuntu-amd64
submitted
30-06-2021 16:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea1872b2835128e3cb49a0bc27e4727ca33c4e6eba1e80422db19b505f965bc4.bin
Size

102KB
MD5

395249d3e6dae1caff6b5b2e1f75bacd
SHA1

29f16c046a344e0d0adfea80d5d7958d6b6b8cfa
SHA256

ea1872b2835128e3cb49a0bc27e4727ca33c4e6eba1e80422db19b505f965bc4
SHA512

54bf867c030f708eb0975825d7c8e4c1b3bca49451bc08ebc3bb9fbd10e9ffdce82332ca200ee960b8ce7dfee1247e52c4ca11041cd976aa7cee6d4957144714

Score

6^/10

Malware Config

Signatures

Reads CPU attributes 1 TTPs 1 IoCs

System Information Discovery
T1082

Processes:

pkill

description ioc process

/sys/devices/system/cpu/online /sys/devices/system/cpu/online pkill

description	ioc	process
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	pkill

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

Processes:

pkill

description	ioc	process
/proc/32/status	/proc/32/status	pkill
/proc/84/status	/proc/84/status	pkill
/proc/191/status	/proc/191/status	pkill
/proc/345/cmdline	/proc/345/cmdline	pkill
/proc/35/status	/proc/35/status	pkill
/proc/169/cmdline	/proc/169/cmdline	pkill
/proc/237/status	/proc/237/status	pkill
/proc/344/cmdline	/proc/344/cmdline	pkill
/proc/447/cmdline	/proc/447/cmdline	pkill
/proc/sys/kernel/osrelease	/proc/sys/kernel/osrelease	pkill
/proc/6/cmdline	/proc/6/cmdline	pkill
/proc/30/cmdline	/proc/30/cmdline	pkill
/proc/157/cmdline	/proc/157/cmdline	pkill
/proc/18/cmdline	/proc/18/cmdline	pkill
/proc/23/cmdline	/proc/23/cmdline	pkill
/proc/167/cmdline	/proc/167/cmdline	pkill
/proc/190/cmdline	/proc/190/cmdline	pkill
/proc/696/status	/proc/696/status	pkill
/proc/3/status	/proc/3/status	pkill
/proc/13/cmdline	/proc/13/cmdline	pkill
/proc/15/cmdline	/proc/15/cmdline	pkill
/proc/27/status	/proc/27/status	pkill
/proc/114/status	/proc/114/status	pkill
/proc/35/cmdline	/proc/35/cmdline	pkill
/proc/152/cmdline	/proc/152/cmdline	pkill
/proc/158/status	/proc/158/status	pkill
/proc/4/status	/proc/4/status	pkill
/proc/7/status	/proc/7/status	pkill
/proc/22/cmdline	/proc/22/cmdline	pkill
/proc/26/cmdline	/proc/26/cmdline	pkill
/proc/28/cmdline	/proc/28/cmdline	pkill
/proc/237/cmdline	/proc/237/cmdline	pkill
/proc/344/status	/proc/344/status	pkill
/proc/359/cmdline	/proc/359/cmdline	pkill
/proc/477/cmdline	/proc/477/cmdline	pkill
/proc/165/status	/proc/165/status	pkill
/proc/443/cmdline	/proc/443/cmdline	pkill
/proc/696/cmdline	/proc/696/cmdline	pkill
/proc/29/cmdline	/proc/29/cmdline	pkill
/proc/77/cmdline	/proc/77/cmdline	pkill
/proc/78/cmdline	/proc/78/cmdline	pkill
/proc/88/status	/proc/88/status	pkill
/proc/159/cmdline	/proc/159/cmdline	pkill
/proc/697/status	/proc/697/status	pkill
/proc/10/status	/proc/10/status	pkill
/proc/24/cmdline	/proc/24/cmdline	pkill
/proc/28/status	/proc/28/status	pkill
/proc/302/cmdline	/proc/302/cmdline	pkill
/proc/447/status	/proc/447/status	pkill
/proc/8/cmdline	/proc/8/cmdline	pkill
/proc/30/status	/proc/30/status	pkill
/proc/34/status	/proc/34/status	pkill
/proc/97/cmdline	/proc/97/cmdline	pkill
/proc/349/status	/proc/349/status	pkill
/proc/349/cmdline	/proc/349/cmdline	pkill
/proc/352/status	/proc/352/status	pkill
/proc/31/cmdline	/proc/31/cmdline	pkill
/proc/165/cmdline	/proc/165/cmdline	pkill
/proc/370/cmdline	/proc/370/cmdline	pkill
/proc/29/status	/proc/29/status	pkill
/proc/155/status	/proc/155/status	pkill
/proc/166/status	/proc/166/status	pkill
/proc/191/cmdline	/proc/191/cmdline	pkill
/proc/369/cmdline	/proc/369/cmdline	pkill

./ea1872b2835128e3cb49a0bc27e4727ca33c4e6eba1e80422db19b505f965bc4.bin
./ea1872b2835128e3cb49a0bc27e4727ca33c4e6eba1e80422db19b505f965bc4.bin
1⤵
PID:689
- "" "" ""
  2⤵
  PID:690
- - /bin/uname
    uname -a
    3⤵
    PID:691
- - /bin/hostname
    hostname
    3⤵
    PID:692
- "" "" ""
  2⤵
  PID:693
- - /bin/uname
    uname -a
    3⤵
    PID:694
- - /bin/hostname
    hostname
    3⤵
    PID:695
- "" "" "pkill -9 vmx-*"
  2⤵
  PID:696
- - /usr/bin/pkill
    pkill -9 "vmx-*"
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:697
- "" "" ""
  2⤵
  PID:698
- - /usr/bin/awk
    awk -F "\"*,\"*" "{system(\"esxcli vm process kill --type=force --world-id=\" \$1)}"
    3⤵
    PID:700

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads