9c7d9eb95a5bc534752d0a826392175f044db0a039ce533455dd24b6f1fae543

Analysis

max time kernel
85s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30/09/2022, 17:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9c7d9eb95a5bc534752d0a826392175f044db0a039ce533455dd24b6f1fae543.exe
Size

25KB
MD5

94c26f4642d2d6edb9ebfbef9cfa0f82
SHA1

cf0416104a33144773c002b1bcd03be3edeebe5e
SHA256

9c7d9eb95a5bc534752d0a826392175f044db0a039ce533455dd24b6f1fae543
SHA512

1b0727a2afb350b6b80e297fcf1a0a30a516047e638a588f5d2dcfc5b11eefc07b6d3ac3b7c7c541850ca34cf03e9c340edeae06efc0c05b6e827cb62b9dc2c6
SSDEEP

768:htkGbZ9xjXvKBBW5bkmG+GAjhXXntCQX:hlDjSBBWm+GIntr

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4776	Warper.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
4444	PING.EXE
4644	PING.EXE

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4208 wrote to memory of 420	4208	9c7d9eb95a5bc534752d0a826392175f044db0a039ce533455dd24b6f1fae543.exe	82
PID 4208 wrote to memory of 420	4208	9c7d9eb95a5bc534752d0a826392175f044db0a039ce533455dd24b6f1fae543.exe	82
PID 4208 wrote to memory of 420	4208	9c7d9eb95a5bc534752d0a826392175f044db0a039ce533455dd24b6f1fae543.exe	82
PID 420 wrote to memory of 4444	420	cmd.exe	84
PID 420 wrote to memory of 4444	420	cmd.exe	84
PID 420 wrote to memory of 4444	420	cmd.exe	84
PID 420 wrote to memory of 4776	420	cmd.exe	85
PID 420 wrote to memory of 4776	420	cmd.exe	85
PID 420 wrote to memory of 4776	420	cmd.exe	85
PID 4776 wrote to memory of 4692	4776	Warper.exe	86
PID 4776 wrote to memory of 4692	4776	Warper.exe	86
PID 4776 wrote to memory of 4692	4776	Warper.exe	86
PID 4692 wrote to memory of 4644	4692	cmd.exe	88
PID 4692 wrote to memory of 4644	4692	cmd.exe	88
PID 4692 wrote to memory of 4644	4692	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\9c7d9eb95a5bc534752d0a826392175f044db0a039ce533455dd24b6f1fae543.exe
"C:\Users\Admin\AppData\Local\Temp\9c7d9eb95a5bc534752d0a826392175f044db0a039ce533455dd24b6f1fae543.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4208
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Warper.exe "C:\Users\Admin\AppData\Local\Temp\9c7d9eb95a5bc534752d0a826392175f044db0a039ce533455dd24b6f1fae543.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:420
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 3000
    3⤵
    - Runs ping.exe
    PID:4444
- - C:\Users\Admin\AppData\Local\Temp\Warper.exe
    Warper.exe "C:\Users\Admin\AppData\Local\Temp\9c7d9eb95a5bc534752d0a826392175f044db0a039ce533455dd24b6f1fae543.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4776
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\Warper.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4692
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        5⤵
        Runs ping.exe
        
        PID:4644

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Warper.exe

Filesize
10KB

MD5
590bc5f1869d323ee651603bc1db10c1

SHA1
432059aa11209d7fbc4463d273016e07a74476d0

SHA256
931d4a5c4316af1da106c397bbb26cb64986253101b826121a2aff3237da5435

SHA512
b388daae2474838b188ef6331c3bbce30eb3b83379e2fe82bd150c204262b1128d0383e1509684722e1ec906c442d2daa4201a9d8023a6a199f8a17b0886f6dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Warper.exe

Filesize
10KB

MD5
590bc5f1869d323ee651603bc1db10c1

SHA1
432059aa11209d7fbc4463d273016e07a74476d0

SHA256
931d4a5c4316af1da106c397bbb26cb64986253101b826121a2aff3237da5435

SHA512
b388daae2474838b188ef6331c3bbce30eb3b83379e2fe82bd150c204262b1128d0383e1509684722e1ec906c442d2daa4201a9d8023a6a199f8a17b0886f6dd

Download Submit
memory/4776-138-0x0000000000940000-0x0000000000945000-memory.dmp

Filesize
20KB

Download