809bc3a0b665d5f765bb4469c1a5e1c18ca47ef4462fb5107526f75d679b6911

Analysis

max time kernel
118s
max time network
143s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 00:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0920113eb017459cc13ced85b986e6fb.exe
Size

488KB
MD5

0920113eb017459cc13ced85b986e6fb
SHA1

92be36f319cdcb568040ac3d862eef3c8da7dc3d
SHA256

809bc3a0b665d5f765bb4469c1a5e1c18ca47ef4462fb5107526f75d679b6911
SHA512

b2d339e8bd3b67add8f1a1934aed829783ffee40d029f1c20e57dd9add162709d9667131440df0b2c8426b1339744fbf3a5e93cdaefc840f9063de4f3b71f994
SSDEEP

12288:FytbV3kSoXaLnToslfkwgvOnN2hyGx/AE3WdIra0:Eb5kSYaLTVlfRNMysNWia0

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2916	cmd.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2168	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2108	0920113eb017459cc13ced85b986e6fb.exe
2108	0920113eb017459cc13ced85b986e6fb.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2108	0920113eb017459cc13ced85b986e6fb.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 2916	2108	0920113eb017459cc13ced85b986e6fb.exe	28
PID 2108 wrote to memory of 2916	2108	0920113eb017459cc13ced85b986e6fb.exe	28
PID 2108 wrote to memory of 2916	2108	0920113eb017459cc13ced85b986e6fb.exe	28
PID 2916 wrote to memory of 2168	2916	cmd.exe	30
PID 2916 wrote to memory of 2168	2916	cmd.exe	30
PID 2916 wrote to memory of 2168	2916	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\0920113eb017459cc13ced85b986e6fb.exe
"C:\Users\Admin\AppData\Local\Temp\0920113eb017459cc13ced85b986e6fb.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Windows\system32\cmd.exe
  cmd.exe /C ping 1.1.1.1 -n 1 -w 6000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\0920113eb017459cc13ced85b986e6fb.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Windows\system32\PING.EXE
    ping 1.1.1.1 -n 1 -w 6000
    3⤵
    - Runs ping.exe
    PID:2168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...