438f5dcb63de73185564765dc3852eea10c773f9443f34709fbf3016bec206e8

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
06/01/2024, 15:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

469acb0253dcb9296c1c130d00d23a35.exe
Size

528KB
MD5

469acb0253dcb9296c1c130d00d23a35
SHA1

5bb674dd86deca0c0340d9ccbff1f8847f706b19
SHA256

438f5dcb63de73185564765dc3852eea10c773f9443f34709fbf3016bec206e8
SHA512

7d9aaa17b4e2d5e4d9f80a0fbbde07bbd6477e47e28f05b264c8605ee715f0734d72e5ebd3e92ab6cedc0eee14bfd2108ef54bc09d5d6acd3a27dcfa8d1513d5
SSDEEP

12288:FytbV3kSoXaLnToslfG/R2WvO/z6YkeE12dFG:Eb5kSYaLTVlu/G76YhEAdFG

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2348	cmd.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1720	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1840	469acb0253dcb9296c1c130d00d23a35.exe
1840	469acb0253dcb9296c1c130d00d23a35.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1840	469acb0253dcb9296c1c130d00d23a35.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1840 wrote to memory of 2348	1840	469acb0253dcb9296c1c130d00d23a35.exe	18
PID 1840 wrote to memory of 2348	1840	469acb0253dcb9296c1c130d00d23a35.exe	18
PID 1840 wrote to memory of 2348	1840	469acb0253dcb9296c1c130d00d23a35.exe	18
PID 2348 wrote to memory of 1720	2348	cmd.exe	17
PID 2348 wrote to memory of 1720	2348	cmd.exe	17
PID 2348 wrote to memory of 1720	2348	cmd.exe	17

C:\Users\Admin\AppData\Local\Temp\469acb0253dcb9296c1c130d00d23a35.exe
"C:\Users\Admin\AppData\Local\Temp\469acb0253dcb9296c1c130d00d23a35.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1840
- C:\Windows\system32\cmd.exe
  cmd.exe /C ping 1.1.1.1 -n 1 -w 6000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\469acb0253dcb9296c1c130d00d23a35.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2348

C:\Windows\system32\PING.EXE
ping 1.1.1.1 -n 1 -w 6000
1⤵
- Runs ping.exe
PID:1720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads