e396b9137910ec6714f47fc834f65f1cc60b5d778c75f7aedf3c457555c285a7

Analysis

max time kernel
92s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
20/10/2022, 00:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e396b9137910ec6714f47fc834f65f1cc60b5d778c75f7aedf3c457555c285a7.exe
Size

320KB
MD5

a215b4c13d637d8e3432e012101bedc0
SHA1

0bee171a83448ef6a7d98320dc89aa76b0f9cc49
SHA256

e396b9137910ec6714f47fc834f65f1cc60b5d778c75f7aedf3c457555c285a7
SHA512

132801e15cd9c4aa71510bf67c24705fd2c56b8b1d9a9eb1e8989a6e9f248af0e2c2a60c20f87e88233fff0181e48c8da8e3ba95d96bd63bd7f9b46ee259bec4
SSDEEP

3072:lnYiFXctfZoPWML/9qB/MWXPw1/6leXpz8xvQCKljTsuZfu:lYiFXOjg9qVvPBleXN8mVwuZ2

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1172	gwqcqk.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1164	PING.EXE

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1884 wrote to memory of 2076	1884	e396b9137910ec6714f47fc834f65f1cc60b5d778c75f7aedf3c457555c285a7.exe	82
PID 1884 wrote to memory of 2076	1884	e396b9137910ec6714f47fc834f65f1cc60b5d778c75f7aedf3c457555c285a7.exe	82
PID 1884 wrote to memory of 2076	1884	e396b9137910ec6714f47fc834f65f1cc60b5d778c75f7aedf3c457555c285a7.exe	82
PID 2076 wrote to memory of 1172	2076	cmd.exe	84
PID 2076 wrote to memory of 1172	2076	cmd.exe	84
PID 2076 wrote to memory of 1172	2076	cmd.exe	84
PID 2076 wrote to memory of 1164	2076	cmd.exe	85
PID 2076 wrote to memory of 1164	2076	cmd.exe	85
PID 2076 wrote to memory of 1164	2076	cmd.exe	85

C:\Users\Admin\AppData\Local\Temp\e396b9137910ec6714f47fc834f65f1cc60b5d778c75f7aedf3c457555c285a7.exe
"C:\Users\Admin\AppData\Local\Temp\e396b9137910ec6714f47fc834f65f1cc60b5d778c75f7aedf3c457555c285a7.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1884
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kqsxswv.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2076
- - C:\Users\Admin\AppData\Local\Temp\gwqcqk.exe
    "C:\Users\Admin\AppData\Local\Temp\gwqcqk.exe"
    3⤵
    - Executes dropped EXE
    PID:1172
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:1164

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gwqcqk.exe

Filesize
184KB

MD5
e5b01c0029ebf74370940c554802236d

SHA1
93ba1545cf6b859fbf060af3561a3961bd5f9771

SHA256
66f3123d7cf8382a7ce1fb66b0e1e964a24ea7830ec76cbb0c44856bdaef0588

SHA512
07648e4d7860f0ee4fc4697632e99511cb18da086b5502b9f4ef578e329ddd7ec31e026ac4887ee955393394bdbbfed3a92b37abe30a963486da4f61fb79ece6

Download Submit
C:\Users\Admin\AppData\Local\Temp\gwqcqk.exe

Filesize
184KB

MD5
e5b01c0029ebf74370940c554802236d

SHA1
93ba1545cf6b859fbf060af3561a3961bd5f9771

SHA256
66f3123d7cf8382a7ce1fb66b0e1e964a24ea7830ec76cbb0c44856bdaef0588

SHA512
07648e4d7860f0ee4fc4697632e99511cb18da086b5502b9f4ef578e329ddd7ec31e026ac4887ee955393394bdbbfed3a92b37abe30a963486da4f61fb79ece6

Download Submit
C:\Users\Admin\AppData\Local\Temp\kqsxswv.bat

Filesize
124B

MD5
56aec60e4b97c78644e8bd95234834d0

SHA1
6a72e83de2a48f631482a1edb0388a4cfa8090f7

SHA256
0d0640c0f42fdad0b5142628c80c55fb7d752da94ca907a80e730f7d29fedfab

SHA512
f7acc308a3409455f0ef75b111b35e598e29e1c4cc4581b7ce42d918fe3440f8802864fb3ffb079a5a4e5f758fc6b772418b783931a278f360d6f0063a0fff8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tvynbc.bat

Filesize
188B

MD5
4c522216c19ca26a6cac042b763a674f

SHA1
163d2a358d6cc0bfc5b7649a11d2210a8dc900fa

SHA256
3a3932e05133daa24232943f8e273ea064422d95cebb4189ad76849490a6df73

SHA512
901169c1b9c59b6720537f2dce8cb82e614cc6be99591f5c4928ce1b8222c3915842dc0f96798ad834b21bdab2f7e58bcca2bc9aee0fac8440c8c2f55515272e

Download Submit