Analysis
-
max time kernel
92s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
25-01-2024 16:54
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
75052d440a51b8d227176e676a583dc2.exe
Resource
win7-20231129-en
windows7-x64
5 signatures
150 seconds
General
-
Target
75052d440a51b8d227176e676a583dc2.exe
-
Size
316KB
-
MD5
75052d440a51b8d227176e676a583dc2
-
SHA1
68d6563824f15cb0b8491ce7767131b191ec1ede
-
SHA256
5a90a04bf0ebddfb387e921ffa59e744cdea6536ad14dbfe6a72bc3b3e07a8ee
-
SHA512
f97c5bc0408e9e52cea7ff6947d17d2cbe1f7eaa10aedeb3a6d8eeb8f36c95e15d268f8a69a809c2b7163e78f3671c2641870e8a180debde4794ea05aa2f7e98
-
SSDEEP
6144:FUORK1ttbV3kSobTYZGiNdniCoh+KiEbfpeVOt3O:FytbV3kSoXaLnToslYfpeoo
Malware Config
Signatures
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
75052d440a51b8d227176e676a583dc2.exepid process 2196 75052d440a51b8d227176e676a583dc2.exe 2196 75052d440a51b8d227176e676a583dc2.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
75052d440a51b8d227176e676a583dc2.exedescription pid process Token: SeDebugPrivilege 2196 75052d440a51b8d227176e676a583dc2.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
75052d440a51b8d227176e676a583dc2.execmd.exedescription pid process target process PID 2196 wrote to memory of 3484 2196 75052d440a51b8d227176e676a583dc2.exe cmd.exe PID 2196 wrote to memory of 3484 2196 75052d440a51b8d227176e676a583dc2.exe cmd.exe PID 3484 wrote to memory of 1584 3484 cmd.exe PING.EXE PID 3484 wrote to memory of 1584 3484 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\75052d440a51b8d227176e676a583dc2.exe"C:\Users\Admin\AppData\Local\Temp\75052d440a51b8d227176e676a583dc2.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SYSTEM32\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 6000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\75052d440a51b8d227176e676a583dc2.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3484 -
C:\Windows\system32\PING.EXEping 1.1.1.1 -n 1 -w 60003⤵
- Runs ping.exe
PID:1584