Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
23/01/2024, 21:49
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
70a513d5b8583314e4891292edc86658.exe
Resource
win7-20231215-en
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
70a513d5b8583314e4891292edc86658.exe
Resource
win10v2004-20231222-en
4 signatures
150 seconds
General
-
Target
70a513d5b8583314e4891292edc86658.exe
-
Size
316KB
-
MD5
70a513d5b8583314e4891292edc86658
-
SHA1
3b66492c32213fb4c1a92519b608c222b30b729c
-
SHA256
4e326a02a44a3e4b28306f1c8e83134e17789f3db71240fe5b96d32d45fdc20c
-
SHA512
43c6e1f53b69e6cdaea82f84ec5566dcf559d8561f90e27c881cad2c308e6daa140034e3356452eedb7ee549ea60c5a9bf8aec400c303ac71a9d45155fec8b7f
-
SSDEEP
6144:FUORK1ttbV3kSobTYZGiNdniCoh+KiEI9pkZAkj01f:FytbV3kSoXaLnTosld9K/Uf
Score
7/10
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 1908 cmd.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2536 PING.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2532 70a513d5b8583314e4891292edc86658.exe 2532 70a513d5b8583314e4891292edc86658.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2532 70a513d5b8583314e4891292edc86658.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2532 wrote to memory of 1908 2532 70a513d5b8583314e4891292edc86658.exe 29 PID 2532 wrote to memory of 1908 2532 70a513d5b8583314e4891292edc86658.exe 29 PID 2532 wrote to memory of 1908 2532 70a513d5b8583314e4891292edc86658.exe 29 PID 1908 wrote to memory of 2536 1908 cmd.exe 30 PID 1908 wrote to memory of 2536 1908 cmd.exe 30 PID 1908 wrote to memory of 2536 1908 cmd.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\70a513d5b8583314e4891292edc86658.exe"C:\Users\Admin\AppData\Local\Temp\70a513d5b8583314e4891292edc86658.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\system32\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 6000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\70a513d5b8583314e4891292edc86658.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\system32\PING.EXEping 1.1.1.1 -n 1 -w 60003⤵
- Runs ping.exe
PID:2536
-
-