e4c5f859a528c12cd60f3c536b551901cbde6f326d58445e86c7ff2aaffb999d

Analysis

max time kernel
101s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18/08/2024, 09:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8eefb6ef80ac0cefd25c457a6fff11c0N.exe
Size

316KB
MD5

8eefb6ef80ac0cefd25c457a6fff11c0
SHA1

e31ce92c8733f87588c32c2792fad1443f5df614
SHA256

e4c5f859a528c12cd60f3c536b551901cbde6f326d58445e86c7ff2aaffb999d
SHA512

b631943d48a8d5ea2eb76f5559952d254087a60c092c08bb5b66eaa516f51e32c70a8f2b9d1a0576a39663c133c4054df4fd26f1e6d51b72972cc46dc47c4cd7
SSDEEP

6144:aUORK1ttbV3kSobTYZGiNdniCoh+KiEp/KtKnGf5gP:aytbV3kSoXaLnToslw/KtK2W

Score

3^/10

discovery

Malware Config

Signatures

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4920	cmd.exe
4752	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4752	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3004	8eefb6ef80ac0cefd25c457a6fff11c0N.exe
3004	8eefb6ef80ac0cefd25c457a6fff11c0N.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3004	8eefb6ef80ac0cefd25c457a6fff11c0N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 4920	3004	8eefb6ef80ac0cefd25c457a6fff11c0N.exe	84
PID 3004 wrote to memory of 4920	3004	8eefb6ef80ac0cefd25c457a6fff11c0N.exe	84
PID 4920 wrote to memory of 4752	4920	cmd.exe	86
PID 4920 wrote to memory of 4752	4920	cmd.exe	86

C:\Users\Admin\AppData\Local\Temp\8eefb6ef80ac0cefd25c457a6fff11c0N.exe
"C:\Users\Admin\AppData\Local\Temp\8eefb6ef80ac0cefd25c457a6fff11c0N.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /C ping 1.1.1.1 -n 1 -w 6000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\8eefb6ef80ac0cefd25c457a6fff11c0N.exe"
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:4920
- - C:\Windows\system32\PING.EXE
    ping 1.1.1.1 -n 1 -w 6000
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:4752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads