4470d04e7ddfe73366faf06ccbf50904961fe2999f4c8c23be35b820b6036209

Resubmissions

18-02-2021 10:24

17-02-2021 21:35

Target

keygen-step-3.exe
Size

704KB
MD5

62d2a07135884c5c8ff742c904fddf56
SHA1

46ce1f7fdf8b4cb2abe479efd5f352db9728a40b
SHA256

a12fee020eb54a0f012545074c689893113d130498d9ad411d5852c786770b81
SHA512

19c4dc3558308052bb13f71ca633ab05d55d57b68fc240fcc6d06e583fa61c5ccea87ef0f8196acc19b37d87deb42e5c204a2a05fce63f1accaf9e39c219f519

Score

1^/10

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2188 PING.EXE

pid	process
2188	PING.EXE

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

keygen-step-3.execmd.exe

description	pid	process	target process
PID 4092 wrote to memory of 1552	4092	keygen-step-3.exe	cmd.exe
PID 4092 wrote to memory of 1552	4092	keygen-step-3.exe	cmd.exe
PID 4092 wrote to memory of 1552	4092	keygen-step-3.exe	cmd.exe
PID 1552 wrote to memory of 2188	1552	cmd.exe	PING.EXE
PID 1552 wrote to memory of 2188	1552	cmd.exe	PING.EXE
PID 1552 wrote to memory of 2188	1552	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe
"C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4092

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1552

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
3⤵
- Runs ping.exe
PID:2188

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact