1b17cbb75b5fc4b746761e0ba24ecd78084eaf885208f4d6d42170d081a0b8d4

Analysis

max time kernel
118s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
04/01/2024, 07:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

40364d01c669fec853b9aae03344ab0e.exe
Size

1.6MB
MD5

40364d01c669fec853b9aae03344ab0e
SHA1

4b90f3bd2237f8ca32ade818c6019be6c75f4182
SHA256

1b17cbb75b5fc4b746761e0ba24ecd78084eaf885208f4d6d42170d081a0b8d4
SHA512

14a76763794fa4d085aaa003e4e9dfc15f9ef6b2b7521caf514c65080cfc67324f754a5176b42cdb6f8b1d12a2e4685ee30c533b6073884e05db26384e2aa402
SSDEEP

24576:Eb5kSYaLTVlwfmnAwYW4Qogjc7u0RkUsrS6p7Vb3hvhpmTChf6dnPhYnc0wa+cgE:Eb5k2L5KoAwUwc7u01GZVbxKCAPfU

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2996	cmd.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
848	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3048	40364d01c669fec853b9aae03344ab0e.exe
3048	40364d01c669fec853b9aae03344ab0e.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3048	40364d01c669fec853b9aae03344ab0e.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 2996	3048	40364d01c669fec853b9aae03344ab0e.exe	28
PID 3048 wrote to memory of 2996	3048	40364d01c669fec853b9aae03344ab0e.exe	28
PID 3048 wrote to memory of 2996	3048	40364d01c669fec853b9aae03344ab0e.exe	28
PID 2996 wrote to memory of 848	2996	cmd.exe	30
PID 2996 wrote to memory of 848	2996	cmd.exe	30
PID 2996 wrote to memory of 848	2996	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\40364d01c669fec853b9aae03344ab0e.exe
"C:\Users\Admin\AppData\Local\Temp\40364d01c669fec853b9aae03344ab0e.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Windows\system32\cmd.exe
  cmd.exe /C ping 1.1.1.1 -n 1 -w 6000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\40364d01c669fec853b9aae03344ab0e.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2996
- - C:\Windows\system32\PING.EXE
    ping 1.1.1.1 -n 1 -w 6000
    3⤵
    - Runs ping.exe
    PID:848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...