Analysis
-
max time kernel
106s -
max time network
109s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-11-2020 20:40
Behavioral task
behavioral1
Sample
a3364d7ee3c44217d737f9bebfebef06.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
a3364d7ee3c44217d737f9bebfebef06.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
a3364d7ee3c44217d737f9bebfebef06.exe
-
Size
1.2MB
-
MD5
a3364d7ee3c44217d737f9bebfebef06
-
SHA1
83ed0f17c0fac0508ddd495671da2d7e49b89758
-
SHA256
a5e45cc4c8c85b23bb9778543aef8894a3c92b623e7d09384c7afda35a9939fe
-
SHA512
b164b757933655f9010ae44b428d2708fded4be395c6a79edffd0b08c5b7d72daf0e3b8a8ac7022422f608ba7522f35e3e7989710b35b07a7bc544d2db7e446b
Score
1/10
Malware Config
Signatures
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
a3364d7ee3c44217d737f9bebfebef06.exea3364d7ee3c44217d737f9bebfebef06.exepid process 1848 a3364d7ee3c44217d737f9bebfebef06.exe 1568 a3364d7ee3c44217d737f9bebfebef06.exe 1568 a3364d7ee3c44217d737f9bebfebef06.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
a3364d7ee3c44217d737f9bebfebef06.execmd.exedescription pid process target process PID 1848 wrote to memory of 1568 1848 a3364d7ee3c44217d737f9bebfebef06.exe a3364d7ee3c44217d737f9bebfebef06.exe PID 1848 wrote to memory of 1568 1848 a3364d7ee3c44217d737f9bebfebef06.exe a3364d7ee3c44217d737f9bebfebef06.exe PID 1848 wrote to memory of 1568 1848 a3364d7ee3c44217d737f9bebfebef06.exe a3364d7ee3c44217d737f9bebfebef06.exe PID 1848 wrote to memory of 1568 1848 a3364d7ee3c44217d737f9bebfebef06.exe a3364d7ee3c44217d737f9bebfebef06.exe PID 1848 wrote to memory of 1764 1848 a3364d7ee3c44217d737f9bebfebef06.exe cmd.exe PID 1848 wrote to memory of 1764 1848 a3364d7ee3c44217d737f9bebfebef06.exe cmd.exe PID 1848 wrote to memory of 1764 1848 a3364d7ee3c44217d737f9bebfebef06.exe cmd.exe PID 1848 wrote to memory of 1764 1848 a3364d7ee3c44217d737f9bebfebef06.exe cmd.exe PID 1764 wrote to memory of 1700 1764 cmd.exe PING.EXE PID 1764 wrote to memory of 1700 1764 cmd.exe PING.EXE PID 1764 wrote to memory of 1700 1764 cmd.exe PING.EXE PID 1764 wrote to memory of 1700 1764 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\a3364d7ee3c44217d737f9bebfebef06.exe"C:\Users\Admin\AppData\Local\Temp\a3364d7ee3c44217d737f9bebfebef06.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\a3364d7ee3c44217d737f9bebfebef06.exeC:\Users\Admin\AppData\Local\Temp\a3364d7ee3c44217d737f9bebfebef06.exe /C2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\a3364d7ee3c44217d737f9bebfebef06.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping.exe -n 6 127.0.0.13⤵
- Runs ping.exe