b51bcfeaa4fb9f3bb6071e7836fe4c2fae862f828fc6ce85625a9be1b4fdd538

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
13-08-2024 23:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b51bcfeaa4fb9f3bb6071e7836fe4c2fae862f828fc6ce85625a9be1b4fdd538.exe
Size

320KB
MD5

d50f39388b2de3c968f91218f0e588c4
SHA1

de93d32ec126e9ce4bb6ea91e8773057dddd6bb7
SHA256

b51bcfeaa4fb9f3bb6071e7836fe4c2fae862f828fc6ce85625a9be1b4fdd538
SHA512

baced0bbabf3d98d7cba269543f18f502b0d2740356b08ee889b6498628e47c6645a5911a9f55ff1f7b1101388c839c7331b7285fa82ec7477c5731465653673
SSDEEP

6144:8UORK1ttbV3kSobTYZGiNdnijoh+EiIt4f/q6mXWo2X:8ytbV3kSoXaLnyosHqMCfWo2X

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2328	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2328	cmd.exe
2760	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2760	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1792	b51bcfeaa4fb9f3bb6071e7836fe4c2fae862f828fc6ce85625a9be1b4fdd538.exe
1792	b51bcfeaa4fb9f3bb6071e7836fe4c2fae862f828fc6ce85625a9be1b4fdd538.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1792	b51bcfeaa4fb9f3bb6071e7836fe4c2fae862f828fc6ce85625a9be1b4fdd538.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1792 wrote to memory of 2328	1792	b51bcfeaa4fb9f3bb6071e7836fe4c2fae862f828fc6ce85625a9be1b4fdd538.exe	30
PID 1792 wrote to memory of 2328	1792	b51bcfeaa4fb9f3bb6071e7836fe4c2fae862f828fc6ce85625a9be1b4fdd538.exe	30
PID 1792 wrote to memory of 2328	1792	b51bcfeaa4fb9f3bb6071e7836fe4c2fae862f828fc6ce85625a9be1b4fdd538.exe	30
PID 2328 wrote to memory of 2760	2328	cmd.exe	32
PID 2328 wrote to memory of 2760	2328	cmd.exe	32
PID 2328 wrote to memory of 2760	2328	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\b51bcfeaa4fb9f3bb6071e7836fe4c2fae862f828fc6ce85625a9be1b4fdd538.exe
"C:\Users\Admin\AppData\Local\Temp\b51bcfeaa4fb9f3bb6071e7836fe4c2fae862f828fc6ce85625a9be1b4fdd538.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1792
- C:\Windows\system32\cmd.exe
  cmd.exe /C ping 1.1.1.1 -n 1 -w 6000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\b51bcfeaa4fb9f3bb6071e7836fe4c2fae862f828fc6ce85625a9be1b4fdd538.exe"
  2⤵
  - Deletes itself
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:2328
- - C:\Windows\system32\PING.EXE
    ping 1.1.1.1 -n 1 -w 6000
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1792-0-0x000000013FAC0000-0x000000013FB11000-memory.dmp

Filesize
324KB

Download
memory/1792-2-0x000000013FAC0000-0x000000013FB11000-memory.dmp

Filesize
324KB

Download