Analysis
-
max time kernel
141s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
02/11/2023, 13:08
Static task
static1
Behavioral task
behavioral1
Sample
Malware_Investigations_Assignment_1_2023.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
Malware_Investigations_Assignment_1_2023.exe
Resource
win10v2004-20231023-en
General
-
Target
Malware_Investigations_Assignment_1_2023.exe
-
Size
597KB
-
MD5
c4cd1a71f26b85d2856a301cb4b18f3d
-
SHA1
07a9916788a14e49d28e478b1d6e80f57573706a
-
SHA256
a494651f4990d7deda080a835c72677364793b05e8e07561a4dd5b9f0228e6d2
-
SHA512
9936ec6a7e680dfa8e525cef9de242c8f81809783e8e4fd159c1797e78f2c0f7b41c23fe3367c9e7fddbdc567b2d361372c07e779c9dd6ae1de7d61992b5f2f1
-
SSDEEP
12288:NVEkgKQBvCXOvd/fFYIxhrUAjw6Puk+ZH:7gwOhhrX+
Malware Config
Signatures
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1776 PING.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4452 powershell.exe 4452 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4452 powershell.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1308 wrote to memory of 568 1308 Malware_Investigations_Assignment_1_2023.exe 110 PID 1308 wrote to memory of 568 1308 Malware_Investigations_Assignment_1_2023.exe 110 PID 1308 wrote to memory of 568 1308 Malware_Investigations_Assignment_1_2023.exe 110 PID 568 wrote to memory of 4452 568 cmd.exe 111 PID 568 wrote to memory of 4452 568 cmd.exe 111 PID 568 wrote to memory of 4452 568 cmd.exe 111 PID 4452 wrote to memory of 1776 4452 powershell.exe 113 PID 4452 wrote to memory of 1776 4452 powershell.exe 113 PID 4452 wrote to memory of 1776 4452 powershell.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\Malware_Investigations_Assignment_1_2023.exe"C:\Users\Admin\AppData\Local\Temp\Malware_Investigations_Assignment_1_2023.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c start powershell.exe -windowstyle hidden ping -n 1 -w 1 ItwasDNS.2⤵
- Suspicious use of WriteProcessMemory
PID:568 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -windowstyle hidden ping -n 1 -w 1 ItwasDNS.3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4452 -
C:\Windows\SysWOW64\PING.EXE"C:\Windows\system32\PING.EXE" -n 1 -w 1 ItwasDNS.4⤵
- Runs ping.exe
PID:1776
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
543B
MD5088667c948baeb42ae3b10e870864c49
SHA13ecc4602e1909de1ae2494dd7549c9964d00e257
SHA2569ef4a2be8617254cfbbae7585ee6c29620b91956c27c567c29e160e9f6073565
SHA51213580489cb9b52976ccaba4a70eff7cb5f3630202c1df6d53d3202ef5b376ff673b131e8d9840ebaea09d9f4e543ff04e5667cafb98adac97edda397ff57366f