Analysis
-
max time kernel
118s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25-01-2024 17:51
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7522d78479092bc6853565947f62ace9.exe
Resource
win7-20231215-en
windows7-x64
5 signatures
150 seconds
General
-
Target
7522d78479092bc6853565947f62ace9.exe
-
Size
528KB
-
MD5
7522d78479092bc6853565947f62ace9
-
SHA1
f6eaed590e7e25ccaa79b2f0dfd291399085f3fb
-
SHA256
543e6294f52af15f57f665d39efeeb943c3555ca62f9e0e1006619cd118da2e8
-
SHA512
c9707019e304f3063510af3308607b299add425006c4b8185a6579a1284f6055e464e13b949bcda80a280832e6ea2e1228e5f48ce112854185dcf7e8aed525ed
-
SSDEEP
12288:FytbV3kSoXaLnToslsWsl1ujw5iNZ4QYS8Kls88Dbar:Eb5kSYaLTVlsxdMZ4Qna8WU
Score
7/10
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2140 cmd.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
7522d78479092bc6853565947f62ace9.exepid process 1632 7522d78479092bc6853565947f62ace9.exe 1632 7522d78479092bc6853565947f62ace9.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
7522d78479092bc6853565947f62ace9.exedescription pid process Token: SeDebugPrivilege 1632 7522d78479092bc6853565947f62ace9.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
7522d78479092bc6853565947f62ace9.execmd.exedescription pid process target process PID 1632 wrote to memory of 2140 1632 7522d78479092bc6853565947f62ace9.exe cmd.exe PID 1632 wrote to memory of 2140 1632 7522d78479092bc6853565947f62ace9.exe cmd.exe PID 1632 wrote to memory of 2140 1632 7522d78479092bc6853565947f62ace9.exe cmd.exe PID 2140 wrote to memory of 1984 2140 cmd.exe PING.EXE PID 2140 wrote to memory of 1984 2140 cmd.exe PING.EXE PID 2140 wrote to memory of 1984 2140 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\7522d78479092bc6853565947f62ace9.exe"C:\Users\Admin\AppData\Local\Temp\7522d78479092bc6853565947f62ace9.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\system32\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 6000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\7522d78479092bc6853565947f62ace9.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\system32\PING.EXEping 1.1.1.1 -n 1 -w 60003⤵
- Runs ping.exe
PID:1984