e5cd1a987577fb377cf32c620d1a0f92f29c1e6aec1480806095f14f0e79016e

Analysis

max time kernel
41s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
20/10/2022, 09:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e5cd1a987577fb377cf32c620d1a0f92f29c1e6aec1480806095f14f0e79016e.exe
Size

272KB
MD5

48fc1b7761ae1d55a8371e4dafc200bc
SHA1

1c43d5e964ecb8b585e38ab54a4b6515211d063b
SHA256

e5cd1a987577fb377cf32c620d1a0f92f29c1e6aec1480806095f14f0e79016e
SHA512

7e4f504f1970595052193ce0e6b43efbdc24ff2a8fb238a072980c5d0fd755dddff9ea5eb1ecda2b7d64f098885c0224732c0a25ec34d189f7f5a19cd57f0dc4
SSDEEP

3072:n8z5cMcIAoyD/EmB8LmzpnvQ8CLBLxtB5ii0pN02WGZTsuZfz:nc5cf1D/hEmzpfCZxf5jSj9wuZL

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1748	gwkprm.exe

Deletes itself 1 IoCs

pid	Process
1212	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1212	cmd.exe
1212	cmd.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1400	PING.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1468 wrote to memory of 1212	1468	e5cd1a987577fb377cf32c620d1a0f92f29c1e6aec1480806095f14f0e79016e.exe	28
PID 1468 wrote to memory of 1212	1468	e5cd1a987577fb377cf32c620d1a0f92f29c1e6aec1480806095f14f0e79016e.exe	28
PID 1468 wrote to memory of 1212	1468	e5cd1a987577fb377cf32c620d1a0f92f29c1e6aec1480806095f14f0e79016e.exe	28
PID 1468 wrote to memory of 1212	1468	e5cd1a987577fb377cf32c620d1a0f92f29c1e6aec1480806095f14f0e79016e.exe	28
PID 1212 wrote to memory of 1748	1212	cmd.exe	30
PID 1212 wrote to memory of 1748	1212	cmd.exe	30
PID 1212 wrote to memory of 1748	1212	cmd.exe	30
PID 1212 wrote to memory of 1748	1212	cmd.exe	30
PID 1212 wrote to memory of 1400	1212	cmd.exe	31
PID 1212 wrote to memory of 1400	1212	cmd.exe	31
PID 1212 wrote to memory of 1400	1212	cmd.exe	31
PID 1212 wrote to memory of 1400	1212	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\e5cd1a987577fb377cf32c620d1a0f92f29c1e6aec1480806095f14f0e79016e.exe
"C:\Users\Admin\AppData\Local\Temp\e5cd1a987577fb377cf32c620d1a0f92f29c1e6aec1480806095f14f0e79016e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1468
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\anxscnj.bat
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1212
- - C:\Users\Admin\AppData\Local\Temp\gwkprm.exe
    "C:\Users\Admin\AppData\Local\Temp\gwkprm.exe"
    3⤵
    - Executes dropped EXE
    PID:1748
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:1400

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\anxscnj.bat

Filesize
124B

MD5
0392a744ef6718bf2cb325b6ab97e14b

SHA1
ed2f3008f066a18a801d9e1eff9d37fa65f1b997

SHA256
adcd1e72cee1f4ba2c3ece89557c8c857e675bceb8d8032881988fb4eb67b197

SHA512
7938561258eb6ceed3c948131986fadfedf4ec677bcf0b70bbedcd084d9ba9177eb3ad4eeefb287a19f36442f914b89f0eac4b8aee2d8f6067c7d03e4b58f336

Download Submit
C:\Users\Admin\AppData\Local\Temp\driqrs.bat

Filesize
188B

MD5
c1fc5342bbbf31ec1b4df55f9c04f0ab

SHA1
360979eb988c7d13b4f16afa75d9fc5091edb0a9

SHA256
de1100efbd39cdcbe34951aa519beaed13c8e1a556c7051a0b21428580e912fe

SHA512
8b23f87ad2f313e3ec91c663f063bf44c7e9e2c0aba897a98e022f563026ada38bf69d26fa17185be793ef19b4c597ffae5ee235c27407793efcd1f45ebc32bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\gwkprm.exe

Filesize
172KB

MD5
8ba98d9ca607b6e0384c6fe41165d58b

SHA1
41652c075c5d55ca8d4c06b6933afbe83b953fa4

SHA256
64ad31aa7788574eb4bfd113f731e95eb31b5227b29cb51e05312e77f6f8b4a1

SHA512
9c115c81e1caae2327ca6482548367dab9140a0c81305f746a5a9192efd92e5d7abc68f1aa9a613eee7b32a3b5a5813be32e57b89aa906ce363197fc161e2879

Download Submit
C:\Users\Admin\AppData\Local\Temp\gwkprm.exe

Filesize
172KB

MD5
8ba98d9ca607b6e0384c6fe41165d58b

SHA1
41652c075c5d55ca8d4c06b6933afbe83b953fa4

SHA256
64ad31aa7788574eb4bfd113f731e95eb31b5227b29cb51e05312e77f6f8b4a1

SHA512
9c115c81e1caae2327ca6482548367dab9140a0c81305f746a5a9192efd92e5d7abc68f1aa9a613eee7b32a3b5a5813be32e57b89aa906ce363197fc161e2879

Download Submit
\Users\Admin\AppData\Local\Temp\gwkprm.exe

Filesize
172KB

MD5
8ba98d9ca607b6e0384c6fe41165d58b

SHA1
41652c075c5d55ca8d4c06b6933afbe83b953fa4

SHA256
64ad31aa7788574eb4bfd113f731e95eb31b5227b29cb51e05312e77f6f8b4a1

SHA512
9c115c81e1caae2327ca6482548367dab9140a0c81305f746a5a9192efd92e5d7abc68f1aa9a613eee7b32a3b5a5813be32e57b89aa906ce363197fc161e2879

Download Submit
\Users\Admin\AppData\Local\Temp\gwkprm.exe

Filesize
172KB

MD5
8ba98d9ca607b6e0384c6fe41165d58b

SHA1
41652c075c5d55ca8d4c06b6933afbe83b953fa4

SHA256
64ad31aa7788574eb4bfd113f731e95eb31b5227b29cb51e05312e77f6f8b4a1

SHA512
9c115c81e1caae2327ca6482548367dab9140a0c81305f746a5a9192efd92e5d7abc68f1aa9a613eee7b32a3b5a5813be32e57b89aa906ce363197fc161e2879

Download Submit
memory/1468-54-0x0000000075211000-0x0000000075213000-memory.dmp

Filesize
8KB

Download