2011a96d7eb4d82ea81bc1e83222dcbbb78269ce4836a7dbee8d03765c594f66

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
28/12/2023, 21:05 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f81dc9ac13745f2a47783b21ec0070b2.exe
Size

461KB
MD5

f81dc9ac13745f2a47783b21ec0070b2
SHA1

adaf5d933c51dc8863edb157474475dc18d93586
SHA256

2011a96d7eb4d82ea81bc1e83222dcbbb78269ce4836a7dbee8d03765c594f66
SHA512

953c08778192b3ccf71e027ac1699a3d5884d4dca9996f47286b5f82d80c533406363f39265a9c73be9dc93afdbb06f08744725e1abf30465b1b2b0f8f640337
SSDEEP

6144:NgpPLdb8XQlYMzvSKwtPOqDSTonFfmUH2CuqfPeiskRmrKhma4TF7O8uR2gD:Ngp5bAQlYCk3DS+YSkqfmMRm2BU7O88D

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2852	cmd.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2260	PING.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 2852	2224	f81dc9ac13745f2a47783b21ec0070b2.exe	31
PID 2224 wrote to memory of 2852	2224	f81dc9ac13745f2a47783b21ec0070b2.exe	31
PID 2224 wrote to memory of 2852	2224	f81dc9ac13745f2a47783b21ec0070b2.exe	31
PID 2224 wrote to memory of 2852	2224	f81dc9ac13745f2a47783b21ec0070b2.exe	31
PID 2852 wrote to memory of 2260	2852	cmd.exe	33
PID 2852 wrote to memory of 2260	2852	cmd.exe	33
PID 2852 wrote to memory of 2260	2852	cmd.exe	33
PID 2852 wrote to memory of 2260	2852	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\f81dc9ac13745f2a47783b21ec0070b2.exe
"C:\Users\Admin\AppData\Local\Temp\f81dc9ac13745f2a47783b21ec0070b2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\f81dc9ac13745f2a47783b21ec0070b2.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2852
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 3000
    3⤵
    - Runs ping.exe
    PID:2260

Network

DNS

api-ab.ru

f81dc9ac13745f2a47783b21ec0070b2.exe

Remote address:

8.8.8.8:53

Request

api-ab.ru

IN A

Response
DNS

api-ab.ru

f81dc9ac13745f2a47783b21ec0070b2.exe

Remote address:

8.8.8.8:53

Request

api-ab.ru

IN A
DNS

qqq.api-ab.ru

f81dc9ac13745f2a47783b21ec0070b2.exe

Remote address:

8.8.8.8:53

Request

qqq.api-ab.ru

IN A

Response

No results found

8.8.8.8:53

api-ab.ru

dns

f81dc9ac13745f2a47783b21ec0070b2.exe

110 B
116 B
2
1

DNS Request

api-ab.ru

DNS Request

api-ab.ru
8.8.8.8:53

qqq.api-ab.ru

dns

f81dc9ac13745f2a47783b21ec0070b2.exe

59 B
120 B
1
1

DNS Request

qqq.api-ab.ru

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2224-1-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2224-0-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2224-2-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2224-4-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.