3c2cfd02b721368fdfba96b0dccb850e6af1afd0610103563cb7a1967c9b9905

Analysis

max time kernel
37s
max time network
9s
platform
windows7_x64
resource
win7v20201028
submitted
09-11-2020 20:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

27e453c28ebe05b93155284aa292929e.exe
Size

1.1MB
MD5

27e453c28ebe05b93155284aa292929e
SHA1

f4fe6836d76a66fbd37739bb024ad49428ee9f2b
SHA256

3c2cfd02b721368fdfba96b0dccb850e6af1afd0610103563cb7a1967c9b9905
SHA512

c3848e76871b499ba1fab66a38df27a1c2cf53ee32442a32aa3db4a426806c3bd8e3f0aeaf53cd950ba27cd35be754ba75a75f70ff33747125fd822733f26af3

Score

1^/10

Malware Config

Signatures

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

844 PING.EXE
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

27e453c28ebe05b93155284aa292929e.exe27e453c28ebe05b93155284aa292929e.exe

pid process

748 27e453c28ebe05b93155284aa292929e.exe
1636 27e453c28ebe05b93155284aa292929e.exe
1636 27e453c28ebe05b93155284aa292929e.exe

pid	process
844	PING.EXE

pid	process
748	27e453c28ebe05b93155284aa292929e.exe
1636	27e453c28ebe05b93155284aa292929e.exe
1636	27e453c28ebe05b93155284aa292929e.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

27e453c28ebe05b93155284aa292929e.execmd.exe

description	pid	process	target process
PID 748 wrote to memory of 1636	748	27e453c28ebe05b93155284aa292929e.exe	27e453c28ebe05b93155284aa292929e.exe
PID 748 wrote to memory of 1636	748	27e453c28ebe05b93155284aa292929e.exe	27e453c28ebe05b93155284aa292929e.exe
PID 748 wrote to memory of 1636	748	27e453c28ebe05b93155284aa292929e.exe	27e453c28ebe05b93155284aa292929e.exe
PID 748 wrote to memory of 1636	748	27e453c28ebe05b93155284aa292929e.exe	27e453c28ebe05b93155284aa292929e.exe
PID 748 wrote to memory of 1220	748	27e453c28ebe05b93155284aa292929e.exe	cmd.exe
PID 748 wrote to memory of 1220	748	27e453c28ebe05b93155284aa292929e.exe	cmd.exe
PID 748 wrote to memory of 1220	748	27e453c28ebe05b93155284aa292929e.exe	cmd.exe
PID 748 wrote to memory of 1220	748	27e453c28ebe05b93155284aa292929e.exe	cmd.exe
PID 1220 wrote to memory of 844	1220	cmd.exe	PING.EXE
PID 1220 wrote to memory of 844	1220	cmd.exe	PING.EXE
PID 1220 wrote to memory of 844	1220	cmd.exe	PING.EXE
PID 1220 wrote to memory of 844	1220	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\27e453c28ebe05b93155284aa292929e.exe
"C:\Users\Admin\AppData\Local\Temp\27e453c28ebe05b93155284aa292929e.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:748

C:\Users\Admin\AppData\Local\Temp\27e453c28ebe05b93155284aa292929e.exe
C:\Users\Admin\AppData\Local\Temp\27e453c28ebe05b93155284aa292929e.exe /C
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1636

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\27e453c28ebe05b93155284aa292929e.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1220

C:\Windows\SysWOW64\PING.EXE
ping.exe -n 6 127.0.0.1
3⤵
- Runs ping.exe
PID:844

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/844-3-0x0000000000000000-mapping.dmp

Download
memory/1220-2-0x0000000000000000-mapping.dmp

Download
memory/1636-0-0x0000000000000000-mapping.dmp

Download
memory/1636-1-0x0000000002320000-0x0000000002331000-memory.dmp

Filesize
68KB

Download