87c4653144ff5055209a59eda8c70b56f9fd736ee881a4bd66a7af19d0ee9cb5

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
01/01/2024, 14:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3d11020cfdd92e6fc487b49e1e8517fa.exe
Size

644KB
MD5

3d11020cfdd92e6fc487b49e1e8517fa
SHA1

2e1b7f65f07042a4749efad9790cf7576b00c7c8
SHA256

87c4653144ff5055209a59eda8c70b56f9fd736ee881a4bd66a7af19d0ee9cb5
SHA512

88cd21a557259116c3ace07426aad40acd6694316ddad61cf793a3f0883243ef1693eb14dd9d503a2918290339df4ff5bcbf54c7fdbbfcfad7ca1ec64d416cea
SSDEEP

12288:FytbV3kSoXaLnTosl747mfZAJQIBOnJJ6Ie9VhzlAOHhxyE6JPMWL:Eb5kSYaLTVl7zfGJQIc67zvBrEPMWL

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2256	cmd.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1184	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2224	3d11020cfdd92e6fc487b49e1e8517fa.exe
2224	3d11020cfdd92e6fc487b49e1e8517fa.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2224	3d11020cfdd92e6fc487b49e1e8517fa.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 2256	2224	3d11020cfdd92e6fc487b49e1e8517fa.exe	28
PID 2224 wrote to memory of 2256	2224	3d11020cfdd92e6fc487b49e1e8517fa.exe	28
PID 2224 wrote to memory of 2256	2224	3d11020cfdd92e6fc487b49e1e8517fa.exe	28
PID 2256 wrote to memory of 1184	2256	cmd.exe	30
PID 2256 wrote to memory of 1184	2256	cmd.exe	30
PID 2256 wrote to memory of 1184	2256	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\3d11020cfdd92e6fc487b49e1e8517fa.exe
"C:\Users\Admin\AppData\Local\Temp\3d11020cfdd92e6fc487b49e1e8517fa.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Windows\system32\cmd.exe
  cmd.exe /C ping 1.1.1.1 -n 1 -w 6000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\3d11020cfdd92e6fc487b49e1e8517fa.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2256
- - C:\Windows\system32\PING.EXE
    ping 1.1.1.1 -n 1 -w 6000
    3⤵
    - Runs ping.exe
    PID:1184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads