Analysis
-
max time kernel
117s -
max time network
132s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
30/12/2023, 08:20
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1343d504a25ad50ee1aa55d0355805fc.exe
Resource
win7-20231215-en
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
1343d504a25ad50ee1aa55d0355805fc.exe
Resource
win10v2004-20231215-en
4 signatures
150 seconds
General
-
Target
1343d504a25ad50ee1aa55d0355805fc.exe
-
Size
316KB
-
MD5
1343d504a25ad50ee1aa55d0355805fc
-
SHA1
9857d3b4d75e5c03ddc58dbe111db407c55f0ab1
-
SHA256
953b9245093eee2b5ed8608b70c93db53ee73d2b28eb8da49412b4ad791b3b52
-
SHA512
267ce23c24c92e59d18bf590b8315736b958701ca245d12bf8d64234151233c54e453b7d0e225cd165e0f7c78319886c5326b7f33d2c3562f13b28078fb76869
-
SSDEEP
6144:FUORK1ttbV3kSobTYZGiNdniCoh+KiEIiexT4:FytbV3kSoXaLnToslbi3
Score
7/10
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2712 cmd.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2836 PING.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2232 1343d504a25ad50ee1aa55d0355805fc.exe 2232 1343d504a25ad50ee1aa55d0355805fc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2232 1343d504a25ad50ee1aa55d0355805fc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2232 wrote to memory of 2712 2232 1343d504a25ad50ee1aa55d0355805fc.exe 28 PID 2232 wrote to memory of 2712 2232 1343d504a25ad50ee1aa55d0355805fc.exe 28 PID 2232 wrote to memory of 2712 2232 1343d504a25ad50ee1aa55d0355805fc.exe 28 PID 2712 wrote to memory of 2836 2712 cmd.exe 29 PID 2712 wrote to memory of 2836 2712 cmd.exe 29 PID 2712 wrote to memory of 2836 2712 cmd.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\1343d504a25ad50ee1aa55d0355805fc.exe"C:\Users\Admin\AppData\Local\Temp\1343d504a25ad50ee1aa55d0355805fc.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\system32\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 6000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\1343d504a25ad50ee1aa55d0355805fc.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\system32\PING.EXEping 1.1.1.1 -n 1 -w 60003⤵
- Runs ping.exe
PID:2836
-
-