9c7d9eb95a5bc534752d0a826392175f044db0a039ce533455dd24b6f1fae543

Analysis

max time kernel
47s
max time network
51s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
30/09/2022, 17:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9c7d9eb95a5bc534752d0a826392175f044db0a039ce533455dd24b6f1fae543.exe
Size

25KB
MD5

94c26f4642d2d6edb9ebfbef9cfa0f82
SHA1

cf0416104a33144773c002b1bcd03be3edeebe5e
SHA256

9c7d9eb95a5bc534752d0a826392175f044db0a039ce533455dd24b6f1fae543
SHA512

1b0727a2afb350b6b80e297fcf1a0a30a516047e638a588f5d2dcfc5b11eefc07b6d3ac3b7c7c541850ca34cf03e9c340edeae06efc0c05b6e827cb62b9dc2c6
SSDEEP

768:htkGbZ9xjXvKBBW5bkmG+GAjhXXntCQX:hlDjSBBWm+GIntr

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
552	Warper.exe

Loads dropped DLL 2 IoCs

pid	Process
844	cmd.exe
844	cmd.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
1464	PING.EXE
572	PING.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1204 wrote to memory of 844	1204	9c7d9eb95a5bc534752d0a826392175f044db0a039ce533455dd24b6f1fae543.exe	28
PID 1204 wrote to memory of 844	1204	9c7d9eb95a5bc534752d0a826392175f044db0a039ce533455dd24b6f1fae543.exe	28
PID 1204 wrote to memory of 844	1204	9c7d9eb95a5bc534752d0a826392175f044db0a039ce533455dd24b6f1fae543.exe	28
PID 1204 wrote to memory of 844	1204	9c7d9eb95a5bc534752d0a826392175f044db0a039ce533455dd24b6f1fae543.exe	28
PID 844 wrote to memory of 1464	844	cmd.exe	30
PID 844 wrote to memory of 1464	844	cmd.exe	30
PID 844 wrote to memory of 1464	844	cmd.exe	30
PID 844 wrote to memory of 1464	844	cmd.exe	30
PID 844 wrote to memory of 552	844	cmd.exe	31
PID 844 wrote to memory of 552	844	cmd.exe	31
PID 844 wrote to memory of 552	844	cmd.exe	31
PID 844 wrote to memory of 552	844	cmd.exe	31
PID 552 wrote to memory of 1132	552	Warper.exe	32
PID 552 wrote to memory of 1132	552	Warper.exe	32
PID 552 wrote to memory of 1132	552	Warper.exe	32
PID 552 wrote to memory of 1132	552	Warper.exe	32
PID 1132 wrote to memory of 572	1132	cmd.exe	34
PID 1132 wrote to memory of 572	1132	cmd.exe	34
PID 1132 wrote to memory of 572	1132	cmd.exe	34
PID 1132 wrote to memory of 572	1132	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\9c7d9eb95a5bc534752d0a826392175f044db0a039ce533455dd24b6f1fae543.exe
"C:\Users\Admin\AppData\Local\Temp\9c7d9eb95a5bc534752d0a826392175f044db0a039ce533455dd24b6f1fae543.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Warper.exe "C:\Users\Admin\AppData\Local\Temp\9c7d9eb95a5bc534752d0a826392175f044db0a039ce533455dd24b6f1fae543.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:844
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 3000
    3⤵
    - Runs ping.exe
    PID:1464
- - C:\Users\Admin\AppData\Local\Temp\Warper.exe
    Warper.exe "C:\Users\Admin\AppData\Local\Temp\9c7d9eb95a5bc534752d0a826392175f044db0a039ce533455dd24b6f1fae543.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:552
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\Warper.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1132
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        5⤵
        Runs ping.exe
        
        PID:572

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Warper.exe

Filesize
10KB

MD5
590bc5f1869d323ee651603bc1db10c1

SHA1
432059aa11209d7fbc4463d273016e07a74476d0

SHA256
931d4a5c4316af1da106c397bbb26cb64986253101b826121a2aff3237da5435

SHA512
b388daae2474838b188ef6331c3bbce30eb3b83379e2fe82bd150c204262b1128d0383e1509684722e1ec906c442d2daa4201a9d8023a6a199f8a17b0886f6dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Warper.exe

Filesize
10KB

MD5
590bc5f1869d323ee651603bc1db10c1

SHA1
432059aa11209d7fbc4463d273016e07a74476d0

SHA256
931d4a5c4316af1da106c397bbb26cb64986253101b826121a2aff3237da5435

SHA512
b388daae2474838b188ef6331c3bbce30eb3b83379e2fe82bd150c204262b1128d0383e1509684722e1ec906c442d2daa4201a9d8023a6a199f8a17b0886f6dd

Download Submit
\Users\Admin\AppData\Local\Temp\Warper.exe

Filesize
10KB

MD5
590bc5f1869d323ee651603bc1db10c1

SHA1
432059aa11209d7fbc4463d273016e07a74476d0

SHA256
931d4a5c4316af1da106c397bbb26cb64986253101b826121a2aff3237da5435

SHA512
b388daae2474838b188ef6331c3bbce30eb3b83379e2fe82bd150c204262b1128d0383e1509684722e1ec906c442d2daa4201a9d8023a6a199f8a17b0886f6dd

Download Submit
\Users\Admin\AppData\Local\Temp\Warper.exe

Filesize
10KB

MD5
590bc5f1869d323ee651603bc1db10c1

SHA1
432059aa11209d7fbc4463d273016e07a74476d0

SHA256
931d4a5c4316af1da106c397bbb26cb64986253101b826121a2aff3237da5435

SHA512
b388daae2474838b188ef6331c3bbce30eb3b83379e2fe82bd150c204262b1128d0383e1509684722e1ec906c442d2daa4201a9d8023a6a199f8a17b0886f6dd

Download Submit
memory/552-63-0x0000000000BB0000-0x0000000000BB5000-memory.dmp

Filesize
20KB

Download
memory/1204-54-0x0000000074DE1000-0x0000000074DE3000-memory.dmp

Filesize
8KB

Download