0bff84eb401448c320cf4b51569cb103badc364fb4122f1c9069ed6d67941419

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
09-01-2024 05:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4d7e4bd48c28add5c224610397d1033b.exe
Size

316KB
MD5

4d7e4bd48c28add5c224610397d1033b
SHA1

1b37bd17a6bf9d64640d4c8843009b3da10220aa
SHA256

0bff84eb401448c320cf4b51569cb103badc364fb4122f1c9069ed6d67941419
SHA512

286f66d7c8881e6405642a17427421e088baa7d22f06b3a2b4b88963a8a663900b7cb3778cd2a336c4efd5211a73c81ea717168f7f8f2a1b3cab200c0834de8f
SSDEEP

6144:FUORK1ttbV3kSobTYZGiNdniCoh+KiEoJ5geNjNWPo3:FytbV3kSoXaLnToslhJ5geNjNJ

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2944	cmd.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1996	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2416	4d7e4bd48c28add5c224610397d1033b.exe
2416	4d7e4bd48c28add5c224610397d1033b.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2416	4d7e4bd48c28add5c224610397d1033b.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 2944	2416	4d7e4bd48c28add5c224610397d1033b.exe	18
PID 2416 wrote to memory of 2944	2416	4d7e4bd48c28add5c224610397d1033b.exe	18
PID 2416 wrote to memory of 2944	2416	4d7e4bd48c28add5c224610397d1033b.exe	18
PID 2944 wrote to memory of 1996	2944	cmd.exe	16
PID 2944 wrote to memory of 1996	2944	cmd.exe	16
PID 2944 wrote to memory of 1996	2944	cmd.exe	16

C:\Users\Admin\AppData\Local\Temp\4d7e4bd48c28add5c224610397d1033b.exe
"C:\Users\Admin\AppData\Local\Temp\4d7e4bd48c28add5c224610397d1033b.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Windows\system32\cmd.exe
  cmd.exe /C ping 1.1.1.1 -n 1 -w 6000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\4d7e4bd48c28add5c224610397d1033b.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2944

C:\Windows\system32\PING.EXE
ping 1.1.1.1 -n 1 -w 6000
1⤵
- Runs ping.exe
PID:1996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads