a2c8b0fd8e5547e93c5043b5492eeb962d0456dc59115cf32a0f7a1e0022d5fc

Analysis

max time kernel
121s
max time network
135s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 06:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

10ba2a053cc1b299102bdea13d12dc9d.exe
Size

488KB
MD5

10ba2a053cc1b299102bdea13d12dc9d
SHA1

8045068eb9b4d7794b614a8b1efe4a03741349d2
SHA256

a2c8b0fd8e5547e93c5043b5492eeb962d0456dc59115cf32a0f7a1e0022d5fc
SHA512

58410c0b72391327ba2e3f90fe9ae8e838f7a84c7b0f1119fe648a96a947d758d5258c6af50d5d3e1e6b326c1ac8e5110a685258435ca4265144c197a50c582b
SSDEEP

12288:FytbV3kSoXaLnToslEiB6VJJzYyaqVRUmEHyO+L:Eb5kSYaLTVlV67JnaCUmyyJ

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2904	cmd.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2244	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1680	10ba2a053cc1b299102bdea13d12dc9d.exe
1680	10ba2a053cc1b299102bdea13d12dc9d.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1680	10ba2a053cc1b299102bdea13d12dc9d.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1680 wrote to memory of 2904	1680	10ba2a053cc1b299102bdea13d12dc9d.exe	18
PID 1680 wrote to memory of 2904	1680	10ba2a053cc1b299102bdea13d12dc9d.exe	18
PID 1680 wrote to memory of 2904	1680	10ba2a053cc1b299102bdea13d12dc9d.exe	18
PID 2904 wrote to memory of 2244	2904	cmd.exe	23
PID 2904 wrote to memory of 2244	2904	cmd.exe	23
PID 2904 wrote to memory of 2244	2904	cmd.exe	23

C:\Users\Admin\AppData\Local\Temp\10ba2a053cc1b299102bdea13d12dc9d.exe
"C:\Users\Admin\AppData\Local\Temp\10ba2a053cc1b299102bdea13d12dc9d.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Windows\system32\cmd.exe
  cmd.exe /C ping 1.1.1.1 -n 1 -w 6000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\10ba2a053cc1b299102bdea13d12dc9d.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\Windows\system32\PING.EXE
    ping 1.1.1.1 -n 1 -w 6000
    3⤵
    - Runs ping.exe
    PID:2244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...