271af3d935212d2f2efe62775f20ccda94a12ce1a60f5c18a78e90b16e4f9f67

Analysis

max time kernel
67s
max time network
69s
platform
windows7_x64
resource
win7v20201028
submitted
09-11-2020 20:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cc0e1e02e12cc64f4dceb4df23eeabbb.exe
Size

1.1MB
MD5

cc0e1e02e12cc64f4dceb4df23eeabbb
SHA1

8e673cbd98a7d63bf874b4434494d8ca9c642f87
SHA256

271af3d935212d2f2efe62775f20ccda94a12ce1a60f5c18a78e90b16e4f9f67
SHA512

84acab40770ab6af2e3ac21924a271ffff8bb2390e24639038a49324b5edd77b91ea67cdeef6d93f95fddda6c8767cc1b316c2899173f020315d38697303c8e5

Score

1^/10

Malware Config

Signatures

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

820 PING.EXE
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

cc0e1e02e12cc64f4dceb4df23eeabbb.execc0e1e02e12cc64f4dceb4df23eeabbb.exe

pid process

1744 cc0e1e02e12cc64f4dceb4df23eeabbb.exe
1228 cc0e1e02e12cc64f4dceb4df23eeabbb.exe
1228 cc0e1e02e12cc64f4dceb4df23eeabbb.exe

pid	process
820	PING.EXE

pid	process
1744	cc0e1e02e12cc64f4dceb4df23eeabbb.exe
1228	cc0e1e02e12cc64f4dceb4df23eeabbb.exe
1228	cc0e1e02e12cc64f4dceb4df23eeabbb.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

cc0e1e02e12cc64f4dceb4df23eeabbb.execmd.exe

description	pid	process	target process
PID 1744 wrote to memory of 1228	1744	cc0e1e02e12cc64f4dceb4df23eeabbb.exe	cc0e1e02e12cc64f4dceb4df23eeabbb.exe
PID 1744 wrote to memory of 1228	1744	cc0e1e02e12cc64f4dceb4df23eeabbb.exe	cc0e1e02e12cc64f4dceb4df23eeabbb.exe
PID 1744 wrote to memory of 1228	1744	cc0e1e02e12cc64f4dceb4df23eeabbb.exe	cc0e1e02e12cc64f4dceb4df23eeabbb.exe
PID 1744 wrote to memory of 1228	1744	cc0e1e02e12cc64f4dceb4df23eeabbb.exe	cc0e1e02e12cc64f4dceb4df23eeabbb.exe
PID 1744 wrote to memory of 1432	1744	cc0e1e02e12cc64f4dceb4df23eeabbb.exe	cmd.exe
PID 1744 wrote to memory of 1432	1744	cc0e1e02e12cc64f4dceb4df23eeabbb.exe	cmd.exe
PID 1744 wrote to memory of 1432	1744	cc0e1e02e12cc64f4dceb4df23eeabbb.exe	cmd.exe
PID 1744 wrote to memory of 1432	1744	cc0e1e02e12cc64f4dceb4df23eeabbb.exe	cmd.exe
PID 1432 wrote to memory of 820	1432	cmd.exe	PING.EXE
PID 1432 wrote to memory of 820	1432	cmd.exe	PING.EXE
PID 1432 wrote to memory of 820	1432	cmd.exe	PING.EXE
PID 1432 wrote to memory of 820	1432	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\cc0e1e02e12cc64f4dceb4df23eeabbb.exe
"C:\Users\Admin\AppData\Local\Temp\cc0e1e02e12cc64f4dceb4df23eeabbb.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1744

C:\Users\Admin\AppData\Local\Temp\cc0e1e02e12cc64f4dceb4df23eeabbb.exe
C:\Users\Admin\AppData\Local\Temp\cc0e1e02e12cc64f4dceb4df23eeabbb.exe /C
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1228

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\cc0e1e02e12cc64f4dceb4df23eeabbb.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1432

C:\Windows\SysWOW64\PING.EXE
ping.exe -n 6 127.0.0.1
3⤵
- Runs ping.exe
PID:820

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/820-3-0x0000000000000000-mapping.dmp

Download
memory/1228-0-0x0000000000000000-mapping.dmp

Download
memory/1228-1-0x0000000002580000-0x0000000002591000-memory.dmp

Filesize
68KB

Download
memory/1432-2-0x0000000000000000-mapping.dmp

Download