899788f15a90aef1df9f62ff1d39eaac3eacc400f88492faa367c82f6f3d8dea

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
25-01-2024 17:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

752092a97d664fd30a8f2ef96dc778b1.exe
Size

1.6MB
MD5

752092a97d664fd30a8f2ef96dc778b1
SHA1

92bf641a940b3097ad35bd1691a4661360733659
SHA256

899788f15a90aef1df9f62ff1d39eaac3eacc400f88492faa367c82f6f3d8dea
SHA512

8b50b4b2849043fe9dc9081b26eb6134789f2e70b8a1f70aca89fbaaf6ad068009bff91e29c6136e28a0563d4d73f86c3bc3c32781e4b1fb3f6310ce9898f0aa
SSDEEP

24576:Eb5kSYaLTVlHy10y4msxThyv8B32EIUG3on2wuVvuM/VOTP3mmWCHlf0tPU:Eb5k2L5wJ4Hhm8BmEIoHgYTPaCHWtPU

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

3056 cmd.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2528 PING.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

752092a97d664fd30a8f2ef96dc778b1.exe

pid process

2352 752092a97d664fd30a8f2ef96dc778b1.exe
2352 752092a97d664fd30a8f2ef96dc778b1.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

752092a97d664fd30a8f2ef96dc778b1.exe

description pid process

Token: SeDebugPrivilege 2352 752092a97d664fd30a8f2ef96dc778b1.exe

pid	process
3056	cmd.exe

pid	process
2528	PING.EXE

pid	process
2352	752092a97d664fd30a8f2ef96dc778b1.exe
2352	752092a97d664fd30a8f2ef96dc778b1.exe

description	pid	process
Token: SeDebugPrivilege	2352	752092a97d664fd30a8f2ef96dc778b1.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

752092a97d664fd30a8f2ef96dc778b1.execmd.exe

description	pid	process	target process
PID 2352 wrote to memory of 3056	2352	752092a97d664fd30a8f2ef96dc778b1.exe	cmd.exe
PID 2352 wrote to memory of 3056	2352	752092a97d664fd30a8f2ef96dc778b1.exe	cmd.exe
PID 2352 wrote to memory of 3056	2352	752092a97d664fd30a8f2ef96dc778b1.exe	cmd.exe
PID 3056 wrote to memory of 2528	3056	cmd.exe	PING.EXE
PID 3056 wrote to memory of 2528	3056	cmd.exe	PING.EXE
PID 3056 wrote to memory of 2528	3056	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\752092a97d664fd30a8f2ef96dc778b1.exe
"C:\Users\Admin\AppData\Local\Temp\752092a97d664fd30a8f2ef96dc778b1.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2352

C:\Windows\system32\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 6000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\752092a97d664fd30a8f2ef96dc778b1.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:3056

C:\Windows\system32\PING.EXE
ping 1.1.1.1 -n 1 -w 6000
3⤵
- Runs ping.exe
PID:2528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads