df12dfc1010388e7d0e99442e9d0e88faccdc850619886d947b60cdc08dd7954

Analysis

max time kernel
142s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
13/01/2024, 15:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

59169183ef136b4f89d182b2ed33cf73.exe
Size

528KB
MD5

59169183ef136b4f89d182b2ed33cf73
SHA1

ca9f7ac3742c7986154b2f5fbba038aec1668d11
SHA256

df12dfc1010388e7d0e99442e9d0e88faccdc850619886d947b60cdc08dd7954
SHA512

0a6f0a86cc028330f345e9cd1ebfbf44a4b910d4a7f1b8682add3719d40d453e450201e113ebae115143a48f5eb2864d98ae2ed6cc65e7d63a949e05a5ea4013
SSDEEP

12288:FytbV3kSoXaLnToslWwWdLbaweSujQuEa32:Eb5kSYaLTVl3wenj5Eam

Score

1^/10

Malware Config

Signatures

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
5020	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3200	59169183ef136b4f89d182b2ed33cf73.exe
3200	59169183ef136b4f89d182b2ed33cf73.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3200	59169183ef136b4f89d182b2ed33cf73.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3200 wrote to memory of 4100	3200	59169183ef136b4f89d182b2ed33cf73.exe	88
PID 3200 wrote to memory of 4100	3200	59169183ef136b4f89d182b2ed33cf73.exe	88
PID 4100 wrote to memory of 5020	4100	cmd.exe	90
PID 4100 wrote to memory of 5020	4100	cmd.exe	90

C:\Users\Admin\AppData\Local\Temp\59169183ef136b4f89d182b2ed33cf73.exe
"C:\Users\Admin\AppData\Local\Temp\59169183ef136b4f89d182b2ed33cf73.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3200
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /C ping 1.1.1.1 -n 1 -w 6000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\59169183ef136b4f89d182b2ed33cf73.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4100
- - C:\Windows\system32\PING.EXE
    ping 1.1.1.1 -n 1 -w 6000
    3⤵
    - Runs ping.exe
    PID:5020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads