85e46e5e1a9b0117c0f1992ae253eac8fb69f854d35e7236583da529985204fc

Analysis

max time kernel
314s
max time network
388s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
07/06/2024, 23:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ConsoleApplication2.exe
Size

4.5MB
MD5

ba6ea0efc527f2dcd8c13606a5e24e9a
SHA1

43a92bb3a589acf1a8480c7f0aeb14c7def349bd
SHA256

85e46e5e1a9b0117c0f1992ae253eac8fb69f854d35e7236583da529985204fc
SHA512

f4e7e4828bae57b8fac2e61ba254806408ef1aa2f35ac0da2b8b9fa5de25e2eaa537344138460f78b0271b82904a3b2e22f3ba078c9d8c3fe46c4f490c0462b5
SSDEEP

49152:mIvjeYIhNma2OwgHK0FqFREXY3Dl11tB+ugTizmRK6HeLAiIM1QfJPgDEWzIOwLy:mIvjeYgGoqF5DlzqTMTDEa

Score

1^/10

Malware Config

Signatures

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
5092	PING.EXE

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1292	WMIC.exe
Token: SeSecurityPrivilege	1292	WMIC.exe
Token: SeTakeOwnershipPrivilege	1292	WMIC.exe
Token: SeLoadDriverPrivilege	1292	WMIC.exe
Token: SeSystemProfilePrivilege	1292	WMIC.exe
Token: SeSystemtimePrivilege	1292	WMIC.exe
Token: SeProfSingleProcessPrivilege	1292	WMIC.exe
Token: SeIncBasePriorityPrivilege	1292	WMIC.exe
Token: SeCreatePagefilePrivilege	1292	WMIC.exe
Token: SeBackupPrivilege	1292	WMIC.exe
Token: SeRestorePrivilege	1292	WMIC.exe
Token: SeShutdownPrivilege	1292	WMIC.exe
Token: SeDebugPrivilege	1292	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1292	WMIC.exe
Token: SeRemoteShutdownPrivilege	1292	WMIC.exe
Token: SeUndockPrivilege	1292	WMIC.exe
Token: SeManageVolumePrivilege	1292	WMIC.exe
Token: 33	1292	WMIC.exe
Token: 34	1292	WMIC.exe
Token: 35	1292	WMIC.exe
Token: 36	1292	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1292	WMIC.exe
Token: SeSecurityPrivilege	1292	WMIC.exe
Token: SeTakeOwnershipPrivilege	1292	WMIC.exe
Token: SeLoadDriverPrivilege	1292	WMIC.exe
Token: SeSystemProfilePrivilege	1292	WMIC.exe
Token: SeSystemtimePrivilege	1292	WMIC.exe
Token: SeProfSingleProcessPrivilege	1292	WMIC.exe
Token: SeIncBasePriorityPrivilege	1292	WMIC.exe
Token: SeCreatePagefilePrivilege	1292	WMIC.exe
Token: SeBackupPrivilege	1292	WMIC.exe
Token: SeRestorePrivilege	1292	WMIC.exe
Token: SeShutdownPrivilege	1292	WMIC.exe
Token: SeDebugPrivilege	1292	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1292	WMIC.exe
Token: SeRemoteShutdownPrivilege	1292	WMIC.exe
Token: SeUndockPrivilege	1292	WMIC.exe
Token: SeManageVolumePrivilege	1292	WMIC.exe
Token: 33	1292	WMIC.exe
Token: 34	1292	WMIC.exe
Token: 35	1292	WMIC.exe
Token: 36	1292	WMIC.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 5056 wrote to memory of 3632	5056	ConsoleApplication2.exe	74
PID 5056 wrote to memory of 3632	5056	ConsoleApplication2.exe	74
PID 5056 wrote to memory of 3632	5056	ConsoleApplication2.exe	74
PID 3632 wrote to memory of 5092	3632	cmd.exe	75
PID 3632 wrote to memory of 5092	3632	cmd.exe	75
PID 3632 wrote to memory of 5092	3632	cmd.exe	75
PID 5056 wrote to memory of 1144	5056	ConsoleApplication2.exe	76
PID 5056 wrote to memory of 1144	5056	ConsoleApplication2.exe	76
PID 5056 wrote to memory of 1144	5056	ConsoleApplication2.exe	76
PID 1144 wrote to memory of 1292	1144	cmd.exe	77
PID 1144 wrote to memory of 1292	1144	cmd.exe	77
PID 1144 wrote to memory of 1292	1144	cmd.exe	77

C:\Users\Admin\AppData\Local\Temp\ConsoleApplication2.exe
"C:\Users\Admin\AppData\Local\Temp\ConsoleApplication2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5056
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ping -n 1 1.1.1.1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3632
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 1 1.1.1.1
    3⤵
    - Runs ping.exe
    PID:5092
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic csproduct get uuid
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1144
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...