7e5ad3c8bac0cab39a3b08a81755ce8d935febdccf163f4894b809a2b1c5b482

Analysis

max time kernel
145s
max time network
189s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2022, 22:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7e5ad3c8bac0cab39a3b08a81755ce8d935febdccf163f4894b809a2b1c5b482.exe
Size

78KB
MD5

03c6279c1bbb72222896b3047dc10363
SHA1

6b148cf5ad6ff8f9a5d55e969582f711b7b9da89
SHA256

7e5ad3c8bac0cab39a3b08a81755ce8d935febdccf163f4894b809a2b1c5b482
SHA512

14ffd05c8bcd9b805ef1d378517d3671d821f1216f8fab840f3ac0a60ba3b0046e601b3376d963d96c9c0ceb70955a07da2f12f825ad7d8464940f62d76013bc
SSDEEP

1536:YfXZDGLxAJMdF2MWKQ4IL/NhyDUoB4tsv+I3i8K5u3lzU/3N04r8SEbZ3MQPJ9ig:YfXuHW0EitoWit5u1z+04r8DbpvPYa

Score

1^/10

Malware Config

Signatures

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4544	PING.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4920	7e5ad3c8bac0cab39a3b08a81755ce8d935febdccf163f4894b809a2b1c5b482.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4920 wrote to memory of 4888	4920	7e5ad3c8bac0cab39a3b08a81755ce8d935febdccf163f4894b809a2b1c5b482.exe	81
PID 4920 wrote to memory of 4888	4920	7e5ad3c8bac0cab39a3b08a81755ce8d935febdccf163f4894b809a2b1c5b482.exe	81
PID 4920 wrote to memory of 4888	4920	7e5ad3c8bac0cab39a3b08a81755ce8d935febdccf163f4894b809a2b1c5b482.exe	81
PID 4888 wrote to memory of 4544	4888	cmd.exe	83
PID 4888 wrote to memory of 4544	4888	cmd.exe	83
PID 4888 wrote to memory of 4544	4888	cmd.exe	83

C:\Users\Admin\AppData\Local\Temp\7e5ad3c8bac0cab39a3b08a81755ce8d935febdccf163f4894b809a2b1c5b482.exe
"C:\Users\Admin\AppData\Local\Temp\7e5ad3c8bac0cab39a3b08a81755ce8d935febdccf163f4894b809a2b1c5b482.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4920
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c echo ping 127.1 -n 3 >nul 2>nul >c:\cd.bat&echo del "C:\Users\Admin\AppData\Local\Temp\7e5ad3c8bac0cab39a3b08a81755ce8d935febdccf163f4894b809a2b1c5b482.exe">>c:\cd.bat&echo del c:\cd.bat>>c:\cd.bat&c:\cd.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4888
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.1 -n 3
    3⤵
    - Runs ping.exe
    PID:4544

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4920-132-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4920-134-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4920-137-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download