6d6f3667fc34b307338c16be4953043d15dcddcb7c066ae1db1b2c7a3ef26060

Analysis

max time kernel
45s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
25/11/2022, 21:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6d6f3667fc34b307338c16be4953043d15dcddcb7c066ae1db1b2c7a3ef26060.exe
Size

36KB
MD5

b5cabdb98720e665df42db5b4f3adabb
SHA1

9b508c09d043d1a5e392085211c8b107eab1183f
SHA256

6d6f3667fc34b307338c16be4953043d15dcddcb7c066ae1db1b2c7a3ef26060
SHA512

10f71e89796c05835a94d98627fbcc9c722183caa310079661a048a7a4c80603065100a85dac188c3ae149233961a52faeb1f88f79c2f2599fc05dc7e31f9e03
SSDEEP

384:b5bxQvdb37VANuHtG9JewdIrPlGAMBcm/sXPGtzlhJK0sfW3NhbxQvd1:tbCF37VAnVIrPlTMSm2qz968vbCT

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
824	cmd.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
332	PING.EXE
1568	PING.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeRestorePrivilege	852	6d6f3667fc34b307338c16be4953043d15dcddcb7c066ae1db1b2c7a3ef26060.exe
Token: SeBackupPrivilege	852	6d6f3667fc34b307338c16be4953043d15dcddcb7c066ae1db1b2c7a3ef26060.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
852	6d6f3667fc34b307338c16be4953043d15dcddcb7c066ae1db1b2c7a3ef26060.exe
852	6d6f3667fc34b307338c16be4953043d15dcddcb7c066ae1db1b2c7a3ef26060.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 852 wrote to memory of 824	852	6d6f3667fc34b307338c16be4953043d15dcddcb7c066ae1db1b2c7a3ef26060.exe	29
PID 852 wrote to memory of 824	852	6d6f3667fc34b307338c16be4953043d15dcddcb7c066ae1db1b2c7a3ef26060.exe	29
PID 852 wrote to memory of 824	852	6d6f3667fc34b307338c16be4953043d15dcddcb7c066ae1db1b2c7a3ef26060.exe	29
PID 852 wrote to memory of 824	852	6d6f3667fc34b307338c16be4953043d15dcddcb7c066ae1db1b2c7a3ef26060.exe	29
PID 852 wrote to memory of 824	852	6d6f3667fc34b307338c16be4953043d15dcddcb7c066ae1db1b2c7a3ef26060.exe	29
PID 852 wrote to memory of 824	852	6d6f3667fc34b307338c16be4953043d15dcddcb7c066ae1db1b2c7a3ef26060.exe	29
PID 852 wrote to memory of 824	852	6d6f3667fc34b307338c16be4953043d15dcddcb7c066ae1db1b2c7a3ef26060.exe	29
PID 824 wrote to memory of 332	824	cmd.exe	31
PID 824 wrote to memory of 332	824	cmd.exe	31
PID 824 wrote to memory of 332	824	cmd.exe	31
PID 824 wrote to memory of 332	824	cmd.exe	31
PID 824 wrote to memory of 332	824	cmd.exe	31
PID 824 wrote to memory of 332	824	cmd.exe	31
PID 824 wrote to memory of 332	824	cmd.exe	31
PID 824 wrote to memory of 1568	824	cmd.exe	32
PID 824 wrote to memory of 1568	824	cmd.exe	32
PID 824 wrote to memory of 1568	824	cmd.exe	32
PID 824 wrote to memory of 1568	824	cmd.exe	32
PID 824 wrote to memory of 1568	824	cmd.exe	32
PID 824 wrote to memory of 1568	824	cmd.exe	32
PID 824 wrote to memory of 1568	824	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\6d6f3667fc34b307338c16be4953043d15dcddcb7c066ae1db1b2c7a3ef26060.exe
"C:\Users\Admin\AppData\Local\Temp\6d6f3667fc34b307338c16be4953043d15dcddcb7c066ae1db1b2c7a3ef26060.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:852
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\ab7793.bat
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:824
- - C:\Windows\SysWOW64\PING.EXE
    PING www.google.com
    3⤵
    - Runs ping.exe
    PID:332
- - C:\Windows\SysWOW64\PING.EXE
    PING www.google.com
    3⤵
    - Runs ping.exe
    PID:1568

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ab7793.bat

Filesize
210B

MD5
3031f521adf3fa1ce9f020f850421b69

SHA1
1b6d1ba4ee9620a3ef992a0fad9ce1e4b94686bb

SHA256
8fdc7c6315dbcf1f281c3e6d67f2a7602167dd0a16ff8e02779c63fcbd6aa2bd

SHA512
6bbce6a8216068a82b7b97e60af5935851bb0256d57f096231bfc5b378639b25ec0960a268aa404932330f9f80b888dccca199f72a46f546ce9ccd1a7223232f

Download Submit
memory/852-54-0x0000000074E41000-0x0000000074E43000-memory.dmp

Filesize
8KB

Download