Analysis
-
max time kernel
117s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25-01-2024 16:06
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
74ee66006938a359bc9f57f305e316e7.exe
Resource
win7-20231215-en
windows7-x64
5 signatures
150 seconds
General
-
Target
74ee66006938a359bc9f57f305e316e7.exe
-
Size
1.6MB
-
MD5
74ee66006938a359bc9f57f305e316e7
-
SHA1
6115bd1139dc1a9a9af04f6c808ec4561291e4e4
-
SHA256
87f3bcb581722ce10e6e5049454d44a0513098f44ca063990afcc8d03b4f0ccd
-
SHA512
44a70495aa43a004f48da922f298e835bc14eb2363a8ae919193454a12bc9853fb7c8ddf086ee960658d742d776bce4ec1e616c092d80fedddbbf71455f89a9c
-
SSDEEP
24576:Eb5kSYaLTVlS/fzSJUKbmRpSXyzhX2Jbm0kve9/q2JGxzwZGPlrYO5he56kcfnPo:Eb5k2L5q7Sn6gJb5Oe9/7eYChCxcY
Malware Config
Signatures
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
74ee66006938a359bc9f57f305e316e7.exepid process 4804 74ee66006938a359bc9f57f305e316e7.exe 4804 74ee66006938a359bc9f57f305e316e7.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
74ee66006938a359bc9f57f305e316e7.exedescription pid process Token: SeDebugPrivilege 4804 74ee66006938a359bc9f57f305e316e7.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
74ee66006938a359bc9f57f305e316e7.execmd.exedescription pid process target process PID 4804 wrote to memory of 2492 4804 74ee66006938a359bc9f57f305e316e7.exe cmd.exe PID 4804 wrote to memory of 2492 4804 74ee66006938a359bc9f57f305e316e7.exe cmd.exe PID 2492 wrote to memory of 4388 2492 cmd.exe PING.EXE PID 2492 wrote to memory of 4388 2492 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\74ee66006938a359bc9f57f305e316e7.exe"C:\Users\Admin\AppData\Local\Temp\74ee66006938a359bc9f57f305e316e7.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4804 -
C:\Windows\SYSTEM32\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 6000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\74ee66006938a359bc9f57f305e316e7.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\system32\PING.EXEping 1.1.1.1 -n 1 -w 60003⤵
- Runs ping.exe
PID:4388