ef54b2f08f0a9e69c504d2feb83c1dcfe4519ab77aa2a68c943fc0f3da1624f0

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/09/2024, 05:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

bafc55161f87a2159998a6f469515f0bade3a260145b0e29d07d78723592c7c9.exe
Size

316KB
MD5

206451569308fa5f9f6202cb502036d6
SHA1

207df57c689b3b859a126d14143a69774714bb16
SHA256

bafc55161f87a2159998a6f469515f0bade3a260145b0e29d07d78723592c7c9
SHA512

39fb569460b0d2204064762ce7a7f223f17e1f40872be44d035eedd713a319ed4783c0f3dcdc263aa2173dccf6057470c28aa6d1b9c6e08363721e3e4f8c1dc5
SSDEEP

6144:FUORK1ttbV3kSobTYZGiNdniCoh+KiE0+pYt8h:FytbV3kSoXaLnToslz+pYg

Score

3^/10

discovery

Malware Config

Signatures

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
988	cmd.exe
1048	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1048	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1524	bafc55161f87a2159998a6f469515f0bade3a260145b0e29d07d78723592c7c9.exe
1524	bafc55161f87a2159998a6f469515f0bade3a260145b0e29d07d78723592c7c9.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1524	bafc55161f87a2159998a6f469515f0bade3a260145b0e29d07d78723592c7c9.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1524 wrote to memory of 988	1524	bafc55161f87a2159998a6f469515f0bade3a260145b0e29d07d78723592c7c9.exe	84
PID 1524 wrote to memory of 988	1524	bafc55161f87a2159998a6f469515f0bade3a260145b0e29d07d78723592c7c9.exe	84
PID 988 wrote to memory of 1048	988	cmd.exe	86
PID 988 wrote to memory of 1048	988	cmd.exe	86

C:\Users\Admin\AppData\Local\Temp\bafc55161f87a2159998a6f469515f0bade3a260145b0e29d07d78723592c7c9.exe
"C:\Users\Admin\AppData\Local\Temp\bafc55161f87a2159998a6f469515f0bade3a260145b0e29d07d78723592c7c9.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1524
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /C ping 1.1.1.1 -n 1 -w 6000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\bafc55161f87a2159998a6f469515f0bade3a260145b0e29d07d78723592c7c9.exe"
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:988
- - C:\Windows\system32\PING.EXE
    ping 1.1.1.1 -n 1 -w 6000
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads