f44098e7eaec4cd14d896779d38b61cbeb6ee2b276eb2f9fcea26c32ad732ec8

Analysis

max time kernel
91s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
01/09/2023, 16:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f44098e7eaec4cd14d896779d38b61cbeb6ee2b276eb2f9fcea26c32ad732ec8_JC.exe
Size

78KB
MD5

735e2ebea2304cd996ade02f9f62383a
SHA1

6bab8de8dea9c950b9028e02f362a4306d363cab
SHA256

f44098e7eaec4cd14d896779d38b61cbeb6ee2b276eb2f9fcea26c32ad732ec8
SHA512

ec1544214416ff77732c49ea4fb1819840b1c3205523842b15c09749481d89a9d5d0728cf83813769c5454176cce50f3ee348160c58b6c9b3d08e91227f6e151
SSDEEP

1536:Uti+6Y9yhU1uDppS5wpOk3JCK6pFoRXd6fOpd/9nEh9TGWJcR:rhU1AQwpOk5CK6DO/9ESWJc

Score

1^/10

Malware Config

Signatures

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
5072	PING.EXE

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	640	f44098e7eaec4cd14d896779d38b61cbeb6ee2b276eb2f9fcea26c32ad732ec8_JC.exe
Token: 33	640	f44098e7eaec4cd14d896779d38b61cbeb6ee2b276eb2f9fcea26c32ad732ec8_JC.exe
Token: SeIncBasePriorityPrivilege	640	f44098e7eaec4cd14d896779d38b61cbeb6ee2b276eb2f9fcea26c32ad732ec8_JC.exe
Token: 33	640	f44098e7eaec4cd14d896779d38b61cbeb6ee2b276eb2f9fcea26c32ad732ec8_JC.exe
Token: SeIncBasePriorityPrivilege	640	f44098e7eaec4cd14d896779d38b61cbeb6ee2b276eb2f9fcea26c32ad732ec8_JC.exe
Token: 33	640	f44098e7eaec4cd14d896779d38b61cbeb6ee2b276eb2f9fcea26c32ad732ec8_JC.exe
Token: SeIncBasePriorityPrivilege	640	f44098e7eaec4cd14d896779d38b61cbeb6ee2b276eb2f9fcea26c32ad732ec8_JC.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 640 wrote to memory of 2632	640	f44098e7eaec4cd14d896779d38b61cbeb6ee2b276eb2f9fcea26c32ad732ec8_JC.exe	88
PID 640 wrote to memory of 2632	640	f44098e7eaec4cd14d896779d38b61cbeb6ee2b276eb2f9fcea26c32ad732ec8_JC.exe	88
PID 640 wrote to memory of 2632	640	f44098e7eaec4cd14d896779d38b61cbeb6ee2b276eb2f9fcea26c32ad732ec8_JC.exe	88
PID 640 wrote to memory of 2008	640	f44098e7eaec4cd14d896779d38b61cbeb6ee2b276eb2f9fcea26c32ad732ec8_JC.exe	90
PID 640 wrote to memory of 2008	640	f44098e7eaec4cd14d896779d38b61cbeb6ee2b276eb2f9fcea26c32ad732ec8_JC.exe	90
PID 640 wrote to memory of 2008	640	f44098e7eaec4cd14d896779d38b61cbeb6ee2b276eb2f9fcea26c32ad732ec8_JC.exe	90
PID 2008 wrote to memory of 5072	2008	cmd.exe	92
PID 2008 wrote to memory of 5072	2008	cmd.exe	92
PID 2008 wrote to memory of 5072	2008	cmd.exe	92

C:\Users\Admin\AppData\Local\Temp\f44098e7eaec4cd14d896779d38b61cbeb6ee2b276eb2f9fcea26c32ad732ec8_JC.exe
"C:\Users\Admin\AppData\Local\Temp\f44098e7eaec4cd14d896779d38b61cbeb6ee2b276eb2f9fcea26c32ad732ec8_JC.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:640
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Delete /tn NYAN /F
  2⤵
  PID:2632
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c ping 0 -n 2 & del "C:\Users\Admin\AppData\Local\Temp\f44098e7eaec4cd14d896779d38b61cbeb6ee2b276eb2f9fcea26c32ad732ec8_JC.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Windows\SysWOW64\PING.EXE
    ping 0 -n 2
    3⤵
    - Runs ping.exe
    PID:5072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/640-0-0x0000000074860000-0x0000000074E11000-memory.dmp

Filesize
5.7MB

Download
memory/640-1-0x0000000074860000-0x0000000074E11000-memory.dmp

Filesize
5.7MB

Download
memory/640-2-0x0000000001400000-0x0000000001410000-memory.dmp

Filesize
64KB

Download
memory/640-3-0x0000000074860000-0x0000000074E11000-memory.dmp

Filesize
5.7MB

Download
memory/640-4-0x0000000074860000-0x0000000074E11000-memory.dmp

Filesize
5.7MB

Download
memory/640-5-0x0000000001400000-0x0000000001410000-memory.dmp

Filesize
64KB

Download
memory/640-7-0x0000000074860000-0x0000000074E11000-memory.dmp

Filesize
5.7MB

Download