Analysis
-
max time kernel
77s -
max time network
55s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
22-07-2021 11:43
Static task
static1
Behavioral task
behavioral1
Sample
2413cf70c27e8928cf85acc4aa9ea6747d18d4a1032830963886fc0a460b0e98.exe
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
2413cf70c27e8928cf85acc4aa9ea6747d18d4a1032830963886fc0a460b0e98.exe
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
General
-
Target
2413cf70c27e8928cf85acc4aa9ea6747d18d4a1032830963886fc0a460b0e98.exe
-
Size
216KB
-
MD5
a7374d90ed33df27a9a102c02d90bfaa
-
SHA1
5dd3756b00edf6f9c2189a4e4fad1f76e109e368
-
SHA256
2413cf70c27e8928cf85acc4aa9ea6747d18d4a1032830963886fc0a460b0e98
-
SHA512
2c3a91e30990d99429118c6373ed66d14a79fbde1335609d07307a3b9aa7c29ecef2b70deda0a3ae760ceb36edd4f083c7bcfa4bb0f5007132da7136eda176fa
Score
1/10
Malware Config
Signatures
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
2413cf70c27e8928cf85acc4aa9ea6747d18d4a1032830963886fc0a460b0e98.execmd.exedescription pid process target process PID 1920 wrote to memory of 800 1920 2413cf70c27e8928cf85acc4aa9ea6747d18d4a1032830963886fc0a460b0e98.exe cmd.exe PID 1920 wrote to memory of 800 1920 2413cf70c27e8928cf85acc4aa9ea6747d18d4a1032830963886fc0a460b0e98.exe cmd.exe PID 1920 wrote to memory of 800 1920 2413cf70c27e8928cf85acc4aa9ea6747d18d4a1032830963886fc0a460b0e98.exe cmd.exe PID 1920 wrote to memory of 800 1920 2413cf70c27e8928cf85acc4aa9ea6747d18d4a1032830963886fc0a460b0e98.exe cmd.exe PID 800 wrote to memory of 652 800 cmd.exe PING.EXE PID 800 wrote to memory of 652 800 cmd.exe PING.EXE PID 800 wrote to memory of 652 800 cmd.exe PING.EXE PID 800 wrote to memory of 652 800 cmd.exe PING.EXE PID 800 wrote to memory of 836 800 cmd.exe 2413cf70c27e8928cf85acc4aa9ea6747d18d4a1032830963886fc0a460b0e98.exe PID 800 wrote to memory of 836 800 cmd.exe 2413cf70c27e8928cf85acc4aa9ea6747d18d4a1032830963886fc0a460b0e98.exe PID 800 wrote to memory of 836 800 cmd.exe 2413cf70c27e8928cf85acc4aa9ea6747d18d4a1032830963886fc0a460b0e98.exe PID 800 wrote to memory of 836 800 cmd.exe 2413cf70c27e8928cf85acc4aa9ea6747d18d4a1032830963886fc0a460b0e98.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2413cf70c27e8928cf85acc4aa9ea6747d18d4a1032830963886fc0a460b0e98.exe"C:\Users\Admin\AppData\Local\Temp\2413cf70c27e8928cf85acc4aa9ea6747d18d4a1032830963886fc0a460b0e98.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 8 & start "" "C:\Users\Admin\AppData\Local\Temp\2413cf70c27e8928cf85acc4aa9ea6747d18d4a1032830963886fc0a460b0e98.exe" mscp ahis & exit2⤵
- Suspicious use of WriteProcessMemory
PID:800 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 83⤵
- Runs ping.exe
PID:652 -
C:\Users\Admin\AppData\Local\Temp\2413cf70c27e8928cf85acc4aa9ea6747d18d4a1032830963886fc0a460b0e98.exe"C:\Users\Admin\AppData\Local\Temp\2413cf70c27e8928cf85acc4aa9ea6747d18d4a1032830963886fc0a460b0e98.exe" mscp ahis3⤵PID:836
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/652-63-0x0000000000000000-mapping.dmp
-
memory/800-62-0x0000000000000000-mapping.dmp
-
memory/836-64-0x0000000000000000-mapping.dmp
-
memory/836-66-0x00000000001B0000-0x00000000001DA000-memory.dmpFilesize
168KB
-
memory/1920-59-0x0000000074FB1000-0x0000000074FB3000-memory.dmpFilesize
8KB
-
memory/1920-60-0x0000000000380000-0x00000000003AA000-memory.dmpFilesize
168KB