Analysis
-
max time kernel
140s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25-01-2024 17:51
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7522d78479092bc6853565947f62ace9.exe
Resource
win7-20231215-en
windows7-x64
5 signatures
150 seconds
General
-
Target
7522d78479092bc6853565947f62ace9.exe
-
Size
528KB
-
MD5
7522d78479092bc6853565947f62ace9
-
SHA1
f6eaed590e7e25ccaa79b2f0dfd291399085f3fb
-
SHA256
543e6294f52af15f57f665d39efeeb943c3555ca62f9e0e1006619cd118da2e8
-
SHA512
c9707019e304f3063510af3308607b299add425006c4b8185a6579a1284f6055e464e13b949bcda80a280832e6ea2e1228e5f48ce112854185dcf7e8aed525ed
-
SSDEEP
12288:FytbV3kSoXaLnToslsWsl1ujw5iNZ4QYS8Kls88Dbar:Eb5kSYaLTVlsxdMZ4Qna8WU
Malware Config
Signatures
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
7522d78479092bc6853565947f62ace9.exepid process 4852 7522d78479092bc6853565947f62ace9.exe 4852 7522d78479092bc6853565947f62ace9.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
7522d78479092bc6853565947f62ace9.exedescription pid process Token: SeDebugPrivilege 4852 7522d78479092bc6853565947f62ace9.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
7522d78479092bc6853565947f62ace9.execmd.exedescription pid process target process PID 4852 wrote to memory of 4724 4852 7522d78479092bc6853565947f62ace9.exe cmd.exe PID 4852 wrote to memory of 4724 4852 7522d78479092bc6853565947f62ace9.exe cmd.exe PID 4724 wrote to memory of 648 4724 cmd.exe PING.EXE PID 4724 wrote to memory of 648 4724 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\7522d78479092bc6853565947f62ace9.exe"C:\Users\Admin\AppData\Local\Temp\7522d78479092bc6853565947f62ace9.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4852 -
C:\Windows\SYSTEM32\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 6000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\7522d78479092bc6853565947f62ace9.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4724 -
C:\Windows\system32\PING.EXEping 1.1.1.1 -n 1 -w 60003⤵
- Runs ping.exe
PID:648