1a9e73e0e877edd16882dcc866467e7ee817efad6ef68a7de82c2c12b2e566fe

Analysis

max time kernel
1800s
max time network
1802s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02-01-2023 19:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Anonymous DoSer.exe
Size

278KB
MD5

270f2f56af0de91cc5f0b83ed241851b
SHA1

7b0ea98bb83ca8be24e62b2f68133f43867e6403
SHA256

1a9e73e0e877edd16882dcc866467e7ee817efad6ef68a7de82c2c12b2e566fe
SHA512

b8b4b06503cbc9da38a898088f8031b44ee0e4dd415f2ab853b360fd3065a37df7d63383913948cbc475669a6c5aaff6a20379d5bd89bbfa4c9510bff4e42597
SSDEEP

3072:ORWxXXyzEf1aALBCYp4xObgRuBOPL+RNUI65KB2pUwMjbKtMBy2bY:eWxHyzENaA9SO0RuQLPIApniU2

Score

1^/10

Malware Config

Signatures

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1840	PING.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	3124	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3124	AUDIODG.EXE
Token: 33	3124	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3124	AUDIODG.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 1840	1960	cmd.exe	30
PID 1960 wrote to memory of 1840	1960	cmd.exe	30
PID 1960 wrote to memory of 1840	1960	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\Anonymous DoSer.exe
"C:\Users\Admin\AppData\Local\Temp\Anonymous DoSer.exe"
1⤵
PID:1172

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Windows\system32\PING.EXE
  ping redols.caib.es
  2⤵
  - Runs ping.exe
  PID:1840

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:2884

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x558
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3124

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1172-54-0x0000000075571000-0x0000000075573000-memory.dmp

Filesize
8KB

Download
memory/1172-55-0x00000000740E0000-0x000000007468B000-memory.dmp

Filesize
5.7MB

Download
memory/1172-56-0x00000000740E0000-0x000000007468B000-memory.dmp

Filesize
5.7MB

Download
memory/2884-59-0x000000006F861000-0x000000006F863000-memory.dmp

Filesize
8KB

Download