7e17575b7e8c9b1622b1215761ac5979fe75a145e2ee15d1572d2d91e20402c2

Analysis

max time kernel
122s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24/02/2024, 17:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a265dff281036bd8cbba8a55566f584e.exe
Size

316KB
MD5

a265dff281036bd8cbba8a55566f584e
SHA1

1afe3fb0f8b7258530b0c0dfa4d3dd37debc6f4f
SHA256

7e17575b7e8c9b1622b1215761ac5979fe75a145e2ee15d1572d2d91e20402c2
SHA512

ec6b3c6bfd125804ef8e947421c9115a8bffd3aa4bc4a935604662875e8c74784cc3e812f5d97b77e9751a2829f50a0f643c9ab8d0736b39c763b56d21c1ac8c
SSDEEP

6144:FUORK1ttbV3kSobTYZGiNdniCoh+KiE/uy5NIv1zPF:FytbV3kSoXaLnTosl4uynIv9t

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2608	cmd.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2020	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2856	a265dff281036bd8cbba8a55566f584e.exe
2856	a265dff281036bd8cbba8a55566f584e.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2856	a265dff281036bd8cbba8a55566f584e.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2856 wrote to memory of 2608	2856	a265dff281036bd8cbba8a55566f584e.exe	28
PID 2856 wrote to memory of 2608	2856	a265dff281036bd8cbba8a55566f584e.exe	28
PID 2856 wrote to memory of 2608	2856	a265dff281036bd8cbba8a55566f584e.exe	28
PID 2608 wrote to memory of 2020	2608	cmd.exe	30
PID 2608 wrote to memory of 2020	2608	cmd.exe	30
PID 2608 wrote to memory of 2020	2608	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\a265dff281036bd8cbba8a55566f584e.exe
"C:\Users\Admin\AppData\Local\Temp\a265dff281036bd8cbba8a55566f584e.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Windows\system32\cmd.exe
  cmd.exe /C ping 1.1.1.1 -n 1 -w 6000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\a265dff281036bd8cbba8a55566f584e.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Windows\system32\PING.EXE
    ping 1.1.1.1 -n 1 -w 6000
    3⤵
    - Runs ping.exe
    PID:2020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads