fdb22e046f3825771b3a6e0166bbb917ddb2c18537a3328d0bec8c03a0141c3d

Analysis

max time kernel
122s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15/03/2024, 03:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ca54f89306780193d955ab253f982cec.exe
Size

644KB
MD5

ca54f89306780193d955ab253f982cec
SHA1

7aed266669bab4e0e3e0f3b3e941297ee71bffa2
SHA256

fdb22e046f3825771b3a6e0166bbb917ddb2c18537a3328d0bec8c03a0141c3d
SHA512

78beba102fe88eea85742acdaa2aece150d578ff62b245dd9326701795ec321b2d1bdf7b6bfc63806721b878174e7de6f96c6fd029566bf6672d45bbb33de410
SSDEEP

12288:FytbV3kSoXaLnTosl2GV3CZKYoVPtrZP33DQtenFgT49Y7/2MkhukegZlh+9:Eb5kSYaLTVlRVy5oVFVvD9FgM9O6eyc

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1500	cmd.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2740	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2172	ca54f89306780193d955ab253f982cec.exe
2172	ca54f89306780193d955ab253f982cec.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2172	ca54f89306780193d955ab253f982cec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 1500	2172	ca54f89306780193d955ab253f982cec.exe	28
PID 2172 wrote to memory of 1500	2172	ca54f89306780193d955ab253f982cec.exe	28
PID 2172 wrote to memory of 1500	2172	ca54f89306780193d955ab253f982cec.exe	28
PID 1500 wrote to memory of 2740	1500	cmd.exe	30
PID 1500 wrote to memory of 2740	1500	cmd.exe	30
PID 1500 wrote to memory of 2740	1500	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\ca54f89306780193d955ab253f982cec.exe
"C:\Users\Admin\AppData\Local\Temp\ca54f89306780193d955ab253f982cec.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Windows\system32\cmd.exe
  cmd.exe /C ping 1.1.1.1 -n 1 -w 6000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\ca54f89306780193d955ab253f982cec.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1500
- - C:\Windows\system32\PING.EXE
    ping 1.1.1.1 -n 1 -w 6000
    3⤵
    - Runs ping.exe
    PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads