Analysis
-
max time kernel
143s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
31-08-2023 15:50
Behavioral task
behavioral1
Sample
x6MPVreS87fF.exe
Resource
win7-20230712-en
windows7-x64
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
x6MPVreS87fF.exe
Resource
win10v2004-20230703-en
windows10-2004-x64
3 signatures
150 seconds
General
-
Target
x6MPVreS87fF.exe
-
Size
78KB
-
MD5
11f51103b0503a907f2fe737effcba23
-
SHA1
5519cd0e85228fbc49bc1a14a24785435b184ca4
-
SHA256
7598961daa8affac4886d4aface1b5cbae1500e386ac42cafca7fc3d9ae5f6c7
-
SHA512
541cd78f3f0aa511aaebcae15cac44f1d1c446162b6f56aee6cb62b5d408acbedf5a587bbedd2cc58d4b0c99f671b7e68a56248064b4ee4f97138f9fffd94a17
-
SSDEEP
1536:gt6+6Y9yhU19DppS5wpOk3JCK6pFNmXd6fOpd/9nEh9TGKJYR:nhU19QwpOk5CK6XO/9ESKJY
Score
1/10
Malware Config
Signatures
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 15 IoCs
Processes:
x6MPVreS87fF.exedescription pid process Token: SeDebugPrivilege 3448 x6MPVreS87fF.exe Token: 33 3448 x6MPVreS87fF.exe Token: SeIncBasePriorityPrivilege 3448 x6MPVreS87fF.exe Token: 33 3448 x6MPVreS87fF.exe Token: SeIncBasePriorityPrivilege 3448 x6MPVreS87fF.exe Token: 33 3448 x6MPVreS87fF.exe Token: SeIncBasePriorityPrivilege 3448 x6MPVreS87fF.exe Token: 33 3448 x6MPVreS87fF.exe Token: SeIncBasePriorityPrivilege 3448 x6MPVreS87fF.exe Token: 33 3448 x6MPVreS87fF.exe Token: SeIncBasePriorityPrivilege 3448 x6MPVreS87fF.exe Token: 33 3448 x6MPVreS87fF.exe Token: SeIncBasePriorityPrivilege 3448 x6MPVreS87fF.exe Token: 33 3448 x6MPVreS87fF.exe Token: SeIncBasePriorityPrivilege 3448 x6MPVreS87fF.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
x6MPVreS87fF.execmd.exedescription pid process target process PID 3448 wrote to memory of 4848 3448 x6MPVreS87fF.exe schtasks.exe PID 3448 wrote to memory of 4848 3448 x6MPVreS87fF.exe schtasks.exe PID 3448 wrote to memory of 4848 3448 x6MPVreS87fF.exe schtasks.exe PID 3448 wrote to memory of 1492 3448 x6MPVreS87fF.exe cmd.exe PID 3448 wrote to memory of 1492 3448 x6MPVreS87fF.exe cmd.exe PID 3448 wrote to memory of 1492 3448 x6MPVreS87fF.exe cmd.exe PID 1492 wrote to memory of 3988 1492 cmd.exe PING.EXE PID 1492 wrote to memory of 3988 1492 cmd.exe PING.EXE PID 1492 wrote to memory of 3988 1492 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\x6MPVreS87fF.exe"C:\Users\Admin\AppData\Local\Temp\x6MPVreS87fF.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /tn NYAN /F2⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 0 -n 2 & del "C:\Users\Admin\AppData\Local\Temp\x6MPVreS87fF.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 0 -n 23⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3448-0-0x0000000074A90000-0x0000000075041000-memory.dmpFilesize
5.7MB
-
memory/3448-1-0x0000000074A90000-0x0000000075041000-memory.dmpFilesize
5.7MB
-
memory/3448-2-0x0000000000D60000-0x0000000000D70000-memory.dmpFilesize
64KB
-
memory/3448-3-0x0000000074A90000-0x0000000075041000-memory.dmpFilesize
5.7MB
-
memory/3448-4-0x0000000074A90000-0x0000000075041000-memory.dmpFilesize
5.7MB
-
memory/3448-5-0x0000000000D60000-0x0000000000D70000-memory.dmpFilesize
64KB
-
memory/3448-6-0x0000000000D60000-0x0000000000D70000-memory.dmpFilesize
64KB
-
memory/3448-8-0x0000000074A90000-0x0000000075041000-memory.dmpFilesize
5.7MB