79f3ef59c972be90e84cf08f9b79b0eb24e24725d43bc777b4801c929a84fe1d

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
10/01/2024, 14:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

50d627eea9de0f94771995b7dda763a7.exe
Size

544KB
MD5

50d627eea9de0f94771995b7dda763a7
SHA1

c069ce1147768b6299cfb08fc6d8ba58fd060922
SHA256

79f3ef59c972be90e84cf08f9b79b0eb24e24725d43bc777b4801c929a84fe1d
SHA512

ab16b48541c23a79a0cca097e03fb566086d441621b27b640b9356289ce5db69de5baeaf4eb7713efcb0e011f10244460fa85f4749d298b5698abbbd4f59d99c
SSDEEP

12288:FytbV3kSoXaLnToslUFbuBtXqiif/B74wm7JxpVH2/Zt/8Z:Eb5kSYaLTVlUYXDQZ74xHpQ/Ztu

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2228	cmd.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1692	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2540	50d627eea9de0f94771995b7dda763a7.exe
2540	50d627eea9de0f94771995b7dda763a7.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2540	50d627eea9de0f94771995b7dda763a7.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2540 wrote to memory of 2228	2540	50d627eea9de0f94771995b7dda763a7.exe	28
PID 2540 wrote to memory of 2228	2540	50d627eea9de0f94771995b7dda763a7.exe	28
PID 2540 wrote to memory of 2228	2540	50d627eea9de0f94771995b7dda763a7.exe	28
PID 2228 wrote to memory of 1692	2228	cmd.exe	30
PID 2228 wrote to memory of 1692	2228	cmd.exe	30
PID 2228 wrote to memory of 1692	2228	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\50d627eea9de0f94771995b7dda763a7.exe
"C:\Users\Admin\AppData\Local\Temp\50d627eea9de0f94771995b7dda763a7.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2540
- C:\Windows\system32\cmd.exe
  cmd.exe /C ping 1.1.1.1 -n 1 -w 6000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\50d627eea9de0f94771995b7dda763a7.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2228
- - C:\Windows\system32\PING.EXE
    ping 1.1.1.1 -n 1 -w 6000
    3⤵
    - Runs ping.exe
    PID:1692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...