b93482ec286952e4d1802d1cf6a7cf112c751dbca3172b20ee53ef7a37f1614b

Analysis

max time kernel
86s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
30/09/2022, 17:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b93482ec286952e4d1802d1cf6a7cf112c751dbca3172b20ee53ef7a37f1614b.exe
Size

25KB
MD5

3f8bba863ea1ff184f93e030227e1b01
SHA1

207619326716813468d914d729a6d3484a897610
SHA256

b93482ec286952e4d1802d1cf6a7cf112c751dbca3172b20ee53ef7a37f1614b
SHA512

4935bc2f5ef754308ffd1cbe98e039771454700d79c6a0c37081ffe9c5ed66e1c12889bfa29668d4bdd8639a065ff67f0fcdfca9586fa8651b8857385c03ca67
SSDEEP

768:PjWULbsVj9xjXvKBBW5bTCVVJ8+SeAx5mZWG8:PjY5DjSBBWUxDVAxe8

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4836	Warper.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2156	PING.EXE
4840	PING.EXE

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1484 wrote to memory of 364	1484	b93482ec286952e4d1802d1cf6a7cf112c751dbca3172b20ee53ef7a37f1614b.exe	84
PID 1484 wrote to memory of 364	1484	b93482ec286952e4d1802d1cf6a7cf112c751dbca3172b20ee53ef7a37f1614b.exe	84
PID 1484 wrote to memory of 364	1484	b93482ec286952e4d1802d1cf6a7cf112c751dbca3172b20ee53ef7a37f1614b.exe	84
PID 364 wrote to memory of 2156	364	cmd.exe	86
PID 364 wrote to memory of 2156	364	cmd.exe	86
PID 364 wrote to memory of 2156	364	cmd.exe	86
PID 364 wrote to memory of 4836	364	cmd.exe	87
PID 364 wrote to memory of 4836	364	cmd.exe	87
PID 364 wrote to memory of 4836	364	cmd.exe	87
PID 4836 wrote to memory of 784	4836	Warper.exe	88
PID 4836 wrote to memory of 784	4836	Warper.exe	88
PID 4836 wrote to memory of 784	4836	Warper.exe	88
PID 784 wrote to memory of 4840	784	cmd.exe	90
PID 784 wrote to memory of 4840	784	cmd.exe	90
PID 784 wrote to memory of 4840	784	cmd.exe	90

C:\Users\Admin\AppData\Local\Temp\b93482ec286952e4d1802d1cf6a7cf112c751dbca3172b20ee53ef7a37f1614b.exe
"C:\Users\Admin\AppData\Local\Temp\b93482ec286952e4d1802d1cf6a7cf112c751dbca3172b20ee53ef7a37f1614b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1484
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Warper.exe "C:\Users\Admin\AppData\Local\Temp\b93482ec286952e4d1802d1cf6a7cf112c751dbca3172b20ee53ef7a37f1614b.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:364
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 3000
    3⤵
    - Runs ping.exe
    PID:2156
- - C:\Users\Admin\AppData\Local\Temp\Warper.exe
    Warper.exe "C:\Users\Admin\AppData\Local\Temp\b93482ec286952e4d1802d1cf6a7cf112c751dbca3172b20ee53ef7a37f1614b.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4836
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\Warper.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:784
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        5⤵
        Runs ping.exe
        
        PID:4840

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Warper.exe

Filesize
10KB

MD5
590bc5f1869d323ee651603bc1db10c1

SHA1
432059aa11209d7fbc4463d273016e07a74476d0

SHA256
931d4a5c4316af1da106c397bbb26cb64986253101b826121a2aff3237da5435

SHA512
b388daae2474838b188ef6331c3bbce30eb3b83379e2fe82bd150c204262b1128d0383e1509684722e1ec906c442d2daa4201a9d8023a6a199f8a17b0886f6dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Warper.exe

Filesize
10KB

MD5
590bc5f1869d323ee651603bc1db10c1

SHA1
432059aa11209d7fbc4463d273016e07a74476d0

SHA256
931d4a5c4316af1da106c397bbb26cb64986253101b826121a2aff3237da5435

SHA512
b388daae2474838b188ef6331c3bbce30eb3b83379e2fe82bd150c204262b1128d0383e1509684722e1ec906c442d2daa4201a9d8023a6a199f8a17b0886f6dd

Download Submit
memory/4836-138-0x0000000000580000-0x0000000000585000-memory.dmp

Filesize
20KB

Download