Malware Analysis Report

2024-11-30 16:01

Sample ID 220630-xq9reaahb6
Target 0e44d2322791910c8753f89a387dfa576c6bda0c73b5bd62ca689cf10ca96c85
SHA256 0e44d2322791910c8753f89a387dfa576c6bda0c73b5bd62ca689cf10ca96c85
Tags
imminent persistence spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0e44d2322791910c8753f89a387dfa576c6bda0c73b5bd62ca689cf10ca96c85

Threat Level: Known bad

The file 0e44d2322791910c8753f89a387dfa576c6bda0c73b5bd62ca689cf10ca96c85 was found to be: Known bad.

Malicious Activity Summary

imminent persistence spyware trojan

Imminent RAT

Executes dropped EXE

Deletes itself

Loads dropped DLL

Adds Run key to start application

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Runs ping.exe

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-06-30 19:04

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-06-30 19:04

Reported

2022-06-30 19:38

Platform

win7-20220414-en

Max time kernel

150s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0e44d2322791910c8753f89a387dfa576c6bda0c73b5bd62ca689cf10ca96c85.exe"

Signatures

Imminent RAT

trojan spyware imminent

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Default Key = "\\Default Folder\\Server.exe" C:\Users\Admin\AppData\Local\Temp\0e44d2322791910c8753f89a387dfa576c6bda0c73b5bd62ca689cf10ca96c85\0e44d2322791910c8753f89a387dfa576c6bda0c73b5bd62ca689cf10ca96c85.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Default Key = "C:\\Users\\Admin\\AppData\\Roaming\\Default Folder\\Server.exe" C:\Users\Admin\AppData\Local\Temp\0e44d2322791910c8753f89a387dfa576c6bda0c73b5bd62ca689cf10ca96c85\0e44d2322791910c8753f89a387dfa576c6bda0c73b5bd62ca689cf10ca96c85.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e44d2322791910c8753f89a387dfa576c6bda0c73b5bd62ca689cf10ca96c85\0e44d2322791910c8753f89a387dfa576c6bda0c73b5bd62ca689cf10ca96c85.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e44d2322791910c8753f89a387dfa576c6bda0c73b5bd62ca689cf10ca96c85\0e44d2322791910c8753f89a387dfa576c6bda0c73b5bd62ca689cf10ca96c85.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1984 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\0e44d2322791910c8753f89a387dfa576c6bda0c73b5bd62ca689cf10ca96c85.exe C:\Users\Admin\AppData\Local\Temp\0e44d2322791910c8753f89a387dfa576c6bda0c73b5bd62ca689cf10ca96c85\0e44d2322791910c8753f89a387dfa576c6bda0c73b5bd62ca689cf10ca96c85.exe
PID 1984 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\0e44d2322791910c8753f89a387dfa576c6bda0c73b5bd62ca689cf10ca96c85.exe C:\Users\Admin\AppData\Local\Temp\0e44d2322791910c8753f89a387dfa576c6bda0c73b5bd62ca689cf10ca96c85\0e44d2322791910c8753f89a387dfa576c6bda0c73b5bd62ca689cf10ca96c85.exe
PID 1984 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\0e44d2322791910c8753f89a387dfa576c6bda0c73b5bd62ca689cf10ca96c85.exe C:\Users\Admin\AppData\Local\Temp\0e44d2322791910c8753f89a387dfa576c6bda0c73b5bd62ca689cf10ca96c85\0e44d2322791910c8753f89a387dfa576c6bda0c73b5bd62ca689cf10ca96c85.exe
PID 1984 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\0e44d2322791910c8753f89a387dfa576c6bda0c73b5bd62ca689cf10ca96c85.exe C:\Users\Admin\AppData\Local\Temp\0e44d2322791910c8753f89a387dfa576c6bda0c73b5bd62ca689cf10ca96c85\0e44d2322791910c8753f89a387dfa576c6bda0c73b5bd62ca689cf10ca96c85.exe
PID 1984 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\0e44d2322791910c8753f89a387dfa576c6bda0c73b5bd62ca689cf10ca96c85.exe C:\Windows\SysWOW64\cmd.exe
PID 1984 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\0e44d2322791910c8753f89a387dfa576c6bda0c73b5bd62ca689cf10ca96c85.exe C:\Windows\SysWOW64\cmd.exe
PID 1984 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\0e44d2322791910c8753f89a387dfa576c6bda0c73b5bd62ca689cf10ca96c85.exe C:\Windows\SysWOW64\cmd.exe
PID 1984 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\0e44d2322791910c8753f89a387dfa576c6bda0c73b5bd62ca689cf10ca96c85.exe C:\Windows\SysWOW64\cmd.exe
PID 1000 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\0e44d2322791910c8753f89a387dfa576c6bda0c73b5bd62ca689cf10ca96c85\0e44d2322791910c8753f89a387dfa576c6bda0c73b5bd62ca689cf10ca96c85.exe C:\Windows\SysWOW64\taskmgr.exe
PID 1000 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\0e44d2322791910c8753f89a387dfa576c6bda0c73b5bd62ca689cf10ca96c85\0e44d2322791910c8753f89a387dfa576c6bda0c73b5bd62ca689cf10ca96c85.exe C:\Windows\SysWOW64\taskmgr.exe
PID 1000 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\0e44d2322791910c8753f89a387dfa576c6bda0c73b5bd62ca689cf10ca96c85\0e44d2322791910c8753f89a387dfa576c6bda0c73b5bd62ca689cf10ca96c85.exe C:\Windows\SysWOW64\taskmgr.exe
PID 1000 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\0e44d2322791910c8753f89a387dfa576c6bda0c73b5bd62ca689cf10ca96c85\0e44d2322791910c8753f89a387dfa576c6bda0c73b5bd62ca689cf10ca96c85.exe C:\Windows\SysWOW64\taskmgr.exe
PID 860 wrote to memory of 456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 860 wrote to memory of 456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 860 wrote to memory of 456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 860 wrote to memory of 456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\0e44d2322791910c8753f89a387dfa576c6bda0c73b5bd62ca689cf10ca96c85.exe

"C:\Users\Admin\AppData\Local\Temp\0e44d2322791910c8753f89a387dfa576c6bda0c73b5bd62ca689cf10ca96c85.exe"

C:\Users\Admin\AppData\Local\Temp\0e44d2322791910c8753f89a387dfa576c6bda0c73b5bd62ca689cf10ca96c85\0e44d2322791910c8753f89a387dfa576c6bda0c73b5bd62ca689cf10ca96c85.exe

"C:\Users\Admin\AppData\Local\Temp\0e44d2322791910c8753f89a387dfa576c6bda0c73b5bd62ca689cf10ca96c85\0e44d2322791910c8753f89a387dfa576c6bda0c73b5bd62ca689cf10ca96c85.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\0e44d2322791910c8753f89a387dfa576c6bda0c73b5bd62ca689cf10ca96c85.exe"

C:\Windows\SysWOW64\taskmgr.exe

"C:\Windows\System32\taskmgr.exe"

C:\Windows\SysWOW64\PING.EXE

ping 1.1.1.1 -n 1 -w 1000

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.tcp.ngrok.io udp
US 3.17.7.232:9003 0.tcp.ngrok.io tcp
US 3.17.7.232:9003 0.tcp.ngrok.io tcp
US 8.8.8.8:53 0.tcp.ngrok.io udp
US 3.14.182.203:9003 0.tcp.ngrok.io tcp
US 8.8.8.8:53 0.tcp.ngrok.io udp
US 3.17.7.232:9003 0.tcp.ngrok.io tcp
US 8.8.8.8:53 0.tcp.ngrok.io udp
US 3.134.39.220:9003 0.tcp.ngrok.io tcp
US 8.8.8.8:53 0.tcp.ngrok.io udp
US 3.17.7.232:9003 0.tcp.ngrok.io tcp

Files

memory/1984-54-0x00000000752D1000-0x00000000752D3000-memory.dmp

\Users\Admin\AppData\Local\Temp\0e44d2322791910c8753f89a387dfa576c6bda0c73b5bd62ca689cf10ca96c85\0e44d2322791910c8753f89a387dfa576c6bda0c73b5bd62ca689cf10ca96c85.exe

MD5 3a79ab637f283d9f5c69ceb7237ebcfb
SHA1 6c79951dff87f8e102571a49c2d7ac7621321d97
SHA256 0e44d2322791910c8753f89a387dfa576c6bda0c73b5bd62ca689cf10ca96c85
SHA512 e550d50b0d3b78e3b655e02e70f00f08573a89138b86abb98c3a848f149d98cf49f62fd01aeb836f55dc7a05f72fa7dc4d6b22dad7d4c893b88622f6f6167d05

\Users\Admin\AppData\Local\Temp\0e44d2322791910c8753f89a387dfa576c6bda0c73b5bd62ca689cf10ca96c85\0e44d2322791910c8753f89a387dfa576c6bda0c73b5bd62ca689cf10ca96c85.exe

MD5 3a79ab637f283d9f5c69ceb7237ebcfb
SHA1 6c79951dff87f8e102571a49c2d7ac7621321d97
SHA256 0e44d2322791910c8753f89a387dfa576c6bda0c73b5bd62ca689cf10ca96c85
SHA512 e550d50b0d3b78e3b655e02e70f00f08573a89138b86abb98c3a848f149d98cf49f62fd01aeb836f55dc7a05f72fa7dc4d6b22dad7d4c893b88622f6f6167d05

C:\Users\Admin\AppData\Local\Temp\0e44d2322791910c8753f89a387dfa576c6bda0c73b5bd62ca689cf10ca96c85\0e44d2322791910c8753f89a387dfa576c6bda0c73b5bd62ca689cf10ca96c85.exe

MD5 3a79ab637f283d9f5c69ceb7237ebcfb
SHA1 6c79951dff87f8e102571a49c2d7ac7621321d97
SHA256 0e44d2322791910c8753f89a387dfa576c6bda0c73b5bd62ca689cf10ca96c85
SHA512 e550d50b0d3b78e3b655e02e70f00f08573a89138b86abb98c3a848f149d98cf49f62fd01aeb836f55dc7a05f72fa7dc4d6b22dad7d4c893b88622f6f6167d05

memory/1000-57-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\0e44d2322791910c8753f89a387dfa576c6bda0c73b5bd62ca689cf10ca96c85\0e44d2322791910c8753f89a387dfa576c6bda0c73b5bd62ca689cf10ca96c85.exe

MD5 3a79ab637f283d9f5c69ceb7237ebcfb
SHA1 6c79951dff87f8e102571a49c2d7ac7621321d97
SHA256 0e44d2322791910c8753f89a387dfa576c6bda0c73b5bd62ca689cf10ca96c85
SHA512 e550d50b0d3b78e3b655e02e70f00f08573a89138b86abb98c3a848f149d98cf49f62fd01aeb836f55dc7a05f72fa7dc4d6b22dad7d4c893b88622f6f6167d05

memory/860-61-0x0000000000000000-mapping.dmp

memory/672-62-0x0000000000000000-mapping.dmp

memory/456-64-0x0000000000000000-mapping.dmp

memory/1984-65-0x00000000744F0000-0x0000000074A9B000-memory.dmp

memory/1000-66-0x00000000744F0000-0x0000000074A9B000-memory.dmp

\Users\Admin\AppData\Local\Temp\0e44d2322791910c8753f89a387dfa576c6bda0c73b5bd62ca689cf10ca96c85\0e44d2322791910c8753f89a387dfa576c6bda0c73b5bd62ca689cf10ca96c85.exe

MD5 3a79ab637f283d9f5c69ceb7237ebcfb
SHA1 6c79951dff87f8e102571a49c2d7ac7621321d97
SHA256 0e44d2322791910c8753f89a387dfa576c6bda0c73b5bd62ca689cf10ca96c85
SHA512 e550d50b0d3b78e3b655e02e70f00f08573a89138b86abb98c3a848f149d98cf49f62fd01aeb836f55dc7a05f72fa7dc4d6b22dad7d4c893b88622f6f6167d05

\Users\Admin\AppData\Local\Temp\0e44d2322791910c8753f89a387dfa576c6bda0c73b5bd62ca689cf10ca96c85\0e44d2322791910c8753f89a387dfa576c6bda0c73b5bd62ca689cf10ca96c85.exe

MD5 3a79ab637f283d9f5c69ceb7237ebcfb
SHA1 6c79951dff87f8e102571a49c2d7ac7621321d97
SHA256 0e44d2322791910c8753f89a387dfa576c6bda0c73b5bd62ca689cf10ca96c85
SHA512 e550d50b0d3b78e3b655e02e70f00f08573a89138b86abb98c3a848f149d98cf49f62fd01aeb836f55dc7a05f72fa7dc4d6b22dad7d4c893b88622f6f6167d05

memory/1000-69-0x00000000744F0000-0x0000000074A9B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-06-30 19:04

Reported

2022-06-30 19:39

Platform

win10v2004-20220414-en

Max time kernel

3s

Max time network

40s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0e44d2322791910c8753f89a387dfa576c6bda0c73b5bd62ca689cf10ca96c85.exe"

Signatures

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0e44d2322791910c8753f89a387dfa576c6bda0c73b5bd62ca689cf10ca96c85.exe

"C:\Users\Admin\AppData\Local\Temp\0e44d2322791910c8753f89a387dfa576c6bda0c73b5bd62ca689cf10ca96c85.exe"

C:\Users\Admin\AppData\Local\Temp\0e44d2322791910c8753f89a387dfa576c6bda0c73b5bd62ca689cf10ca96c85\0e44d2322791910c8753f89a387dfa576c6bda0c73b5bd62ca689cf10ca96c85.exe

"C:\Users\Admin\AppData\Local\Temp\0e44d2322791910c8753f89a387dfa576c6bda0c73b5bd62ca689cf10ca96c85\0e44d2322791910c8753f89a387dfa576c6bda0c73b5bd62ca689cf10ca96c85.exe"

C:\Windows\SysWOW64\PING.EXE

ping 1.1.1.1 -n 1 -w 1000

C:\Windows\SysWOW64\Taskmgr.exe

"C:\Windows\System32\Taskmgr.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\0e44d2322791910c8753f89a387dfa576c6bda0c73b5bd62ca689cf10ca96c85.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.tcp.ngrok.io udp
US 3.134.125.175:9003 0.tcp.ngrok.io tcp
US 93.184.220.29:80 tcp
US 3.134.125.175:9003 0.tcp.ngrok.io tcp
US 52.152.110.14:443 tcp
US 8.238.111.254:80 tcp

Files

memory/2664-130-0x00000000748F0000-0x0000000074EA1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0e44d2322791910c8753f89a387dfa576c6bda0c73b5bd62ca689cf10ca96c85\0e44d2322791910c8753f89a387dfa576c6bda0c73b5bd62ca689cf10ca96c85.exe

MD5 1a549da74af5f914bd4110a2d1c832ca
SHA1 360fbaa68946e1bac4b8184ced40e4b04c7c5af7
SHA256 6e6c701affb441a99164b0f87605749e182c260db7101d69bed614be267b6b11
SHA512 ef60bf2a4404699bcdbfcc24acbf473470820fa369df3164b4815c3fdc3f75ccd8b200acc6d816b1d39c683967fe485a89d7fcd7fad4a33daba8c0d966e5aff6

C:\Users\Admin\AppData\Local\Temp\0e44d2322791910c8753f89a387dfa576c6bda0c73b5bd62ca689cf10ca96c85\0e44d2322791910c8753f89a387dfa576c6bda0c73b5bd62ca689cf10ca96c85.exe

MD5 070406159ea2c2490372f28c8bc25a3b
SHA1 ca8c7714ff9824739588e70689e7d8675fdbfac6
SHA256 3d4e6e5ad9815869bc7fe8de5dfb406a9ddd024746828100663045951b21c4cd
SHA512 3431637ea8959bef6c699674e21fcc29e67d249e6eeb0e26b7c3aa3794fef791354b7d3f25effe7115a6eae13f764164a7979ba0e09b6c8fac907ae1ad73ac11

memory/5012-134-0x00000000748F0000-0x0000000074EA1000-memory.dmp

memory/5012-131-0x0000000000000000-mapping.dmp

memory/3684-137-0x0000000000000000-mapping.dmp

memory/2664-138-0x00000000748F0000-0x0000000074EA1000-memory.dmp

memory/2896-136-0x0000000000000000-mapping.dmp

memory/4104-135-0x0000000000000000-mapping.dmp