Analysis
-
max time kernel
117s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25-01-2024 16:06
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
74ee66006938a359bc9f57f305e316e7.exe
Resource
win7-20231215-en
windows7-x64
5 signatures
150 seconds
General
-
Target
74ee66006938a359bc9f57f305e316e7.exe
-
Size
1.6MB
-
MD5
74ee66006938a359bc9f57f305e316e7
-
SHA1
6115bd1139dc1a9a9af04f6c808ec4561291e4e4
-
SHA256
87f3bcb581722ce10e6e5049454d44a0513098f44ca063990afcc8d03b4f0ccd
-
SHA512
44a70495aa43a004f48da922f298e835bc14eb2363a8ae919193454a12bc9853fb7c8ddf086ee960658d742d776bce4ec1e616c092d80fedddbbf71455f89a9c
-
SSDEEP
24576:Eb5kSYaLTVlS/fzSJUKbmRpSXyzhX2Jbm0kve9/q2JGxzwZGPlrYO5he56kcfnPo:Eb5k2L5q7Sn6gJb5Oe9/7eYChCxcY
Score
7/10
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 808 cmd.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
74ee66006938a359bc9f57f305e316e7.exepid process 2528 74ee66006938a359bc9f57f305e316e7.exe 2528 74ee66006938a359bc9f57f305e316e7.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
74ee66006938a359bc9f57f305e316e7.exedescription pid process Token: SeDebugPrivilege 2528 74ee66006938a359bc9f57f305e316e7.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
74ee66006938a359bc9f57f305e316e7.execmd.exedescription pid process target process PID 2528 wrote to memory of 808 2528 74ee66006938a359bc9f57f305e316e7.exe cmd.exe PID 2528 wrote to memory of 808 2528 74ee66006938a359bc9f57f305e316e7.exe cmd.exe PID 2528 wrote to memory of 808 2528 74ee66006938a359bc9f57f305e316e7.exe cmd.exe PID 808 wrote to memory of 1564 808 cmd.exe PING.EXE PID 808 wrote to memory of 1564 808 cmd.exe PING.EXE PID 808 wrote to memory of 1564 808 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\74ee66006938a359bc9f57f305e316e7.exe"C:\Users\Admin\AppData\Local\Temp\74ee66006938a359bc9f57f305e316e7.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\system32\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 6000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\74ee66006938a359bc9f57f305e316e7.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Windows\system32\PING.EXEping 1.1.1.1 -n 1 -w 60003⤵
- Runs ping.exe
PID:1564