4ed271a26862c4672c106efdcd0912babd51e0cd779775b4c283d5674c904009

Analysis

max time kernel
92s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
27-07-2024 01:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7d8ae6ec50170ce100b3888c20b090b0N.exe
Size

666KB
MD5

7d8ae6ec50170ce100b3888c20b090b0
SHA1

82b3757da86eefa27cd77723080b9cf2c2c11d32
SHA256

4ed271a26862c4672c106efdcd0912babd51e0cd779775b4c283d5674c904009
SHA512

7f2fd5ce447e9e5f0ca2a02ab1eae6323d68e57b65ccd36b4cb95ecc29f5d77ed68f2ca72a4e7f715985bfc65953c6ccb93b4ff0dc89b54e8f2d9bd3c41d169c
SSDEEP

12288:7ytbV3kSoXaLnToslldQ/xJNnEGo0dXB/VeDhGXP4XLexTa9W:6b5kSYaLTVllW/xQGRXBNSI/2ed5

Score

3^/10

discovery

Malware Config

Signatures

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

cmd.exePING.EXE

pid process

3288 cmd.exe
456 PING.EXE
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

456 PING.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

7d8ae6ec50170ce100b3888c20b090b0N.exe

pid process

2408 7d8ae6ec50170ce100b3888c20b090b0N.exe
2408 7d8ae6ec50170ce100b3888c20b090b0N.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

7d8ae6ec50170ce100b3888c20b090b0N.exe

description pid process

Token: SeDebugPrivilege 2408 7d8ae6ec50170ce100b3888c20b090b0N.exe

pid	process
3288	cmd.exe
456	PING.EXE

pid	process
456	PING.EXE

pid	process
2408	7d8ae6ec50170ce100b3888c20b090b0N.exe
2408	7d8ae6ec50170ce100b3888c20b090b0N.exe

description	pid	process
Token: SeDebugPrivilege	2408	7d8ae6ec50170ce100b3888c20b090b0N.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

7d8ae6ec50170ce100b3888c20b090b0N.execmd.exe

description	pid	process	target process
PID 2408 wrote to memory of 3288	2408	7d8ae6ec50170ce100b3888c20b090b0N.exe	cmd.exe
PID 2408 wrote to memory of 3288	2408	7d8ae6ec50170ce100b3888c20b090b0N.exe	cmd.exe
PID 3288 wrote to memory of 456	3288	cmd.exe	PING.EXE
PID 3288 wrote to memory of 456	3288	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\7d8ae6ec50170ce100b3888c20b090b0N.exe
"C:\Users\Admin\AppData\Local\Temp\7d8ae6ec50170ce100b3888c20b090b0N.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2408

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 6000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\7d8ae6ec50170ce100b3888c20b090b0N.exe"
2⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:3288

C:\Windows\system32\PING.EXE
ping 1.1.1.1 -n 1 -w 6000
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:456

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads