Resubmissions
10-10-2023 19:06
231010-xr48baaa72 710-10-2023 18:57
231010-xmdvkahh85 711-12-2020 07:11
201211-8rk4l8xrye 10Analysis
-
max time kernel
118s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
10-10-2023 19:06
Static task
static1
Behavioral task
behavioral1
Sample
107fe810309d392811fb898622aa607c.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
107fe810309d392811fb898622aa607c.exe
Resource
win10v2004-20230915-en
General
-
Target
107fe810309d392811fb898622aa607c.exe
-
Size
265KB
-
MD5
107fe810309d392811fb898622aa607c
-
SHA1
da82f9894db9b0a9b3cc9565a0c71e3e851cf98b
-
SHA256
d03c84a13b8e6274f7353fd98e35f73c194938b61690a9a8a83c594a40994dec
-
SHA512
1def7eff04fac2e9ce8f8f54655ade9640dfe81d0bf957762d173b13ef5d6681ef212418f8fd0e72d0d40fa0d2b0e1c1a3f05805ab0009bf2db3f175cd3d7d84
-
SSDEEP
1536:vU+AIFt7FeLuMI8Orz99qsOCGMfZovSCC:vU+Aet0aZ3RHovW
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2648 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
107fe810309d392811fb898622aa607c.execmd.exedescription pid process target process PID 2112 wrote to memory of 2648 2112 107fe810309d392811fb898622aa607c.exe cmd.exe PID 2112 wrote to memory of 2648 2112 107fe810309d392811fb898622aa607c.exe cmd.exe PID 2112 wrote to memory of 2648 2112 107fe810309d392811fb898622aa607c.exe cmd.exe PID 2112 wrote to memory of 2648 2112 107fe810309d392811fb898622aa607c.exe cmd.exe PID 2648 wrote to memory of 2776 2648 cmd.exe PING.EXE PID 2648 wrote to memory of 2776 2648 cmd.exe PING.EXE PID 2648 wrote to memory of 2776 2648 cmd.exe PING.EXE PID 2648 wrote to memory of 2776 2648 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\107fe810309d392811fb898622aa607c.exe"C:\Users\Admin\AppData\Local\Temp\107fe810309d392811fb898622aa607c.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\107fe810309d392811fb898622aa607c.exe" >> NUL2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2776