953b9245093eee2b5ed8608b70c93db53ee73d2b28eb8da49412b4ad791b3b52

Analysis

max time kernel
117s
max time network
132s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 08:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1343d504a25ad50ee1aa55d0355805fc.exe
Size

316KB
MD5

1343d504a25ad50ee1aa55d0355805fc
SHA1

9857d3b4d75e5c03ddc58dbe111db407c55f0ab1
SHA256

953b9245093eee2b5ed8608b70c93db53ee73d2b28eb8da49412b4ad791b3b52
SHA512

267ce23c24c92e59d18bf590b8315736b958701ca245d12bf8d64234151233c54e453b7d0e225cd165e0f7c78319886c5326b7f33d2c3562f13b28078fb76869
SSDEEP

6144:FUORK1ttbV3kSobTYZGiNdniCoh+KiEIiexT4:FytbV3kSoXaLnToslbi3

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2712	cmd.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2836	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2232	1343d504a25ad50ee1aa55d0355805fc.exe
2232	1343d504a25ad50ee1aa55d0355805fc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2232	1343d504a25ad50ee1aa55d0355805fc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 2712	2232	1343d504a25ad50ee1aa55d0355805fc.exe	28
PID 2232 wrote to memory of 2712	2232	1343d504a25ad50ee1aa55d0355805fc.exe	28
PID 2232 wrote to memory of 2712	2232	1343d504a25ad50ee1aa55d0355805fc.exe	28
PID 2712 wrote to memory of 2836	2712	cmd.exe	29
PID 2712 wrote to memory of 2836	2712	cmd.exe	29
PID 2712 wrote to memory of 2836	2712	cmd.exe	29

C:\Users\Admin\AppData\Local\Temp\1343d504a25ad50ee1aa55d0355805fc.exe
"C:\Users\Admin\AppData\Local\Temp\1343d504a25ad50ee1aa55d0355805fc.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Windows\system32\cmd.exe
  cmd.exe /C ping 1.1.1.1 -n 1 -w 6000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\1343d504a25ad50ee1aa55d0355805fc.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Windows\system32\PING.EXE
    ping 1.1.1.1 -n 1 -w 6000
    3⤵
    - Runs ping.exe
    PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads