73d977e3a8014046b131a76b2eb4de9694ba34721ed0aa6aeddb62076de03df1

Analysis

max time kernel
135s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25/09/2022, 13:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73d977e3a8014046b131a76b2eb4de9694ba34721ed0aa6aeddb62076de03df1.exe
Size

25KB
MD5

fe4dc7253c5f0cef4011168365c9ac71
SHA1

ea65534e7c4e5b9a06b7705d9923da1425507b70
SHA256

73d977e3a8014046b131a76b2eb4de9694ba34721ed0aa6aeddb62076de03df1
SHA512

4e5cdd8ec38a80510ae698b88694a7c41f4acee8bd83ff006ffc497fa4d9e207810ca1291ed22078529c1d666542013eeb7399fdfec84a95037b2bba4073a922
SSDEEP

384:pWj0BhUx9x09RXjXz7XjCWwqK8Wzz8WW5bIwH1ylj7VYIPI47h61EnNKt:Yj0Mb+9xjXvKBBW5bgmDYvNy

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2068	Warper.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
3560	PING.EXE
2768	PING.EXE

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4628 wrote to memory of 2456	4628	73d977e3a8014046b131a76b2eb4de9694ba34721ed0aa6aeddb62076de03df1.exe	80
PID 4628 wrote to memory of 2456	4628	73d977e3a8014046b131a76b2eb4de9694ba34721ed0aa6aeddb62076de03df1.exe	80
PID 4628 wrote to memory of 2456	4628	73d977e3a8014046b131a76b2eb4de9694ba34721ed0aa6aeddb62076de03df1.exe	80
PID 2456 wrote to memory of 3560	2456	cmd.exe	82
PID 2456 wrote to memory of 3560	2456	cmd.exe	82
PID 2456 wrote to memory of 3560	2456	cmd.exe	82
PID 2456 wrote to memory of 2068	2456	cmd.exe	83
PID 2456 wrote to memory of 2068	2456	cmd.exe	83
PID 2456 wrote to memory of 2068	2456	cmd.exe	83
PID 2068 wrote to memory of 596	2068	Warper.exe	84
PID 2068 wrote to memory of 596	2068	Warper.exe	84
PID 2068 wrote to memory of 596	2068	Warper.exe	84
PID 596 wrote to memory of 2768	596	cmd.exe	86
PID 596 wrote to memory of 2768	596	cmd.exe	86
PID 596 wrote to memory of 2768	596	cmd.exe	86

C:\Users\Admin\AppData\Local\Temp\73d977e3a8014046b131a76b2eb4de9694ba34721ed0aa6aeddb62076de03df1.exe
"C:\Users\Admin\AppData\Local\Temp\73d977e3a8014046b131a76b2eb4de9694ba34721ed0aa6aeddb62076de03df1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4628
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Warper.exe "C:\Users\Admin\AppData\Local\Temp\73d977e3a8014046b131a76b2eb4de9694ba34721ed0aa6aeddb62076de03df1.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2456
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 3000
    3⤵
    - Runs ping.exe
    PID:3560
- - C:\Users\Admin\AppData\Local\Temp\Warper.exe
    Warper.exe "C:\Users\Admin\AppData\Local\Temp\73d977e3a8014046b131a76b2eb4de9694ba34721ed0aa6aeddb62076de03df1.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2068
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\Warper.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:596
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        5⤵
        Runs ping.exe
        
        PID:2768

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Warper.exe

Filesize
10KB

MD5
590bc5f1869d323ee651603bc1db10c1

SHA1
432059aa11209d7fbc4463d273016e07a74476d0

SHA256
931d4a5c4316af1da106c397bbb26cb64986253101b826121a2aff3237da5435

SHA512
b388daae2474838b188ef6331c3bbce30eb3b83379e2fe82bd150c204262b1128d0383e1509684722e1ec906c442d2daa4201a9d8023a6a199f8a17b0886f6dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Warper.exe

Filesize
10KB

MD5
590bc5f1869d323ee651603bc1db10c1

SHA1
432059aa11209d7fbc4463d273016e07a74476d0

SHA256
931d4a5c4316af1da106c397bbb26cb64986253101b826121a2aff3237da5435

SHA512
b388daae2474838b188ef6331c3bbce30eb3b83379e2fe82bd150c204262b1128d0383e1509684722e1ec906c442d2daa4201a9d8023a6a199f8a17b0886f6dd

Download Submit
memory/2068-138-0x0000000000A80000-0x0000000000A85000-memory.dmp

Filesize
20KB

Download