3fa3be080313627383038f632654c54234426ac0500519e362d3266a24cdcd5c

Analysis

max time kernel
43s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30/09/2022, 17:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3fa3be080313627383038f632654c54234426ac0500519e362d3266a24cdcd5c.exe
Size

25KB
MD5

36f3c72ffeb4bbe829bee4a8e6326ca0
SHA1

604a8f6671589977efe91331d9811a7be390200d
SHA256

3fa3be080313627383038f632654c54234426ac0500519e362d3266a24cdcd5c
SHA512

a803f4c15daaf85397da22673898d20352b8463a706afaa735e6a35c66c57422250c15b598bd989bdcf0a3e8c21a21e96373767be91034f0299b2421a140c369
SSDEEP

384:sW9f3+Ux9A309RXjXz7XjCWwqK8Wzz8WW5bIwHFrPWIT4qJtBoeNpg1daD:T9fdbAE9xjXvKBBW5bZPJM0C74

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
808	Warper.exe

Loads dropped DLL 2 IoCs

pid	Process
304	cmd.exe
304	cmd.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
1972	PING.EXE
1452	PING.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1092 wrote to memory of 304	1092	3fa3be080313627383038f632654c54234426ac0500519e362d3266a24cdcd5c.exe	28
PID 1092 wrote to memory of 304	1092	3fa3be080313627383038f632654c54234426ac0500519e362d3266a24cdcd5c.exe	28
PID 1092 wrote to memory of 304	1092	3fa3be080313627383038f632654c54234426ac0500519e362d3266a24cdcd5c.exe	28
PID 1092 wrote to memory of 304	1092	3fa3be080313627383038f632654c54234426ac0500519e362d3266a24cdcd5c.exe	28
PID 304 wrote to memory of 1972	304	cmd.exe	30
PID 304 wrote to memory of 1972	304	cmd.exe	30
PID 304 wrote to memory of 1972	304	cmd.exe	30
PID 304 wrote to memory of 1972	304	cmd.exe	30
PID 304 wrote to memory of 808	304	cmd.exe	31
PID 304 wrote to memory of 808	304	cmd.exe	31
PID 304 wrote to memory of 808	304	cmd.exe	31
PID 304 wrote to memory of 808	304	cmd.exe	31
PID 808 wrote to memory of 1192	808	Warper.exe	32
PID 808 wrote to memory of 1192	808	Warper.exe	32
PID 808 wrote to memory of 1192	808	Warper.exe	32
PID 808 wrote to memory of 1192	808	Warper.exe	32
PID 1192 wrote to memory of 1452	1192	cmd.exe	34
PID 1192 wrote to memory of 1452	1192	cmd.exe	34
PID 1192 wrote to memory of 1452	1192	cmd.exe	34
PID 1192 wrote to memory of 1452	1192	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\3fa3be080313627383038f632654c54234426ac0500519e362d3266a24cdcd5c.exe
"C:\Users\Admin\AppData\Local\Temp\3fa3be080313627383038f632654c54234426ac0500519e362d3266a24cdcd5c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1092
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Warper.exe "C:\Users\Admin\AppData\Local\Temp\3fa3be080313627383038f632654c54234426ac0500519e362d3266a24cdcd5c.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:304
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 3000
    3⤵
    - Runs ping.exe
    PID:1972
- - C:\Users\Admin\AppData\Local\Temp\Warper.exe
    Warper.exe "C:\Users\Admin\AppData\Local\Temp\3fa3be080313627383038f632654c54234426ac0500519e362d3266a24cdcd5c.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:808
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\Warper.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1192
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        5⤵
        Runs ping.exe
        
        PID:1452

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Warper.exe

Filesize
10KB

MD5
590bc5f1869d323ee651603bc1db10c1

SHA1
432059aa11209d7fbc4463d273016e07a74476d0

SHA256
931d4a5c4316af1da106c397bbb26cb64986253101b826121a2aff3237da5435

SHA512
b388daae2474838b188ef6331c3bbce30eb3b83379e2fe82bd150c204262b1128d0383e1509684722e1ec906c442d2daa4201a9d8023a6a199f8a17b0886f6dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Warper.exe

Filesize
10KB

MD5
590bc5f1869d323ee651603bc1db10c1

SHA1
432059aa11209d7fbc4463d273016e07a74476d0

SHA256
931d4a5c4316af1da106c397bbb26cb64986253101b826121a2aff3237da5435

SHA512
b388daae2474838b188ef6331c3bbce30eb3b83379e2fe82bd150c204262b1128d0383e1509684722e1ec906c442d2daa4201a9d8023a6a199f8a17b0886f6dd

Download Submit
\Users\Admin\AppData\Local\Temp\Warper.exe

Filesize
10KB

MD5
590bc5f1869d323ee651603bc1db10c1

SHA1
432059aa11209d7fbc4463d273016e07a74476d0

SHA256
931d4a5c4316af1da106c397bbb26cb64986253101b826121a2aff3237da5435

SHA512
b388daae2474838b188ef6331c3bbce30eb3b83379e2fe82bd150c204262b1128d0383e1509684722e1ec906c442d2daa4201a9d8023a6a199f8a17b0886f6dd

Download Submit
\Users\Admin\AppData\Local\Temp\Warper.exe

Filesize
10KB

MD5
590bc5f1869d323ee651603bc1db10c1

SHA1
432059aa11209d7fbc4463d273016e07a74476d0

SHA256
931d4a5c4316af1da106c397bbb26cb64986253101b826121a2aff3237da5435

SHA512
b388daae2474838b188ef6331c3bbce30eb3b83379e2fe82bd150c204262b1128d0383e1509684722e1ec906c442d2daa4201a9d8023a6a199f8a17b0886f6dd

Download Submit
memory/808-63-0x0000000000BC0000-0x0000000000BC5000-memory.dmp

Filesize
20KB

Download
memory/1092-54-0x0000000074C91000-0x0000000074C93000-memory.dmp

Filesize
8KB

Download