cea881fb37156b763e95b6f80bcd3f31def1d1beddd9eb25be836e403cad000c

Analysis

max time kernel
96s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 23:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cea881fb37156b763e95b6f80bcd3f31def1d1beddd9eb25be836e403cad000c.exe
Size

264KB
MD5

419319f4763e2402a5dc5987964e360c
SHA1

4767bbbbb789bf35ab61279e17743a19edde8010
SHA256

cea881fb37156b763e95b6f80bcd3f31def1d1beddd9eb25be836e403cad000c
SHA512

b9742f69dcd3aa08be1e9baf87d7589ee0c357630065df596e239224e8cb263c1b1e230252ebfbc854cac063a89dffcb48a34939e36e3b4c38aea128db3eff7b
SSDEEP

3072:GwPv/7MqIuroKz9kO4xDB+HV/R9UZ8Tr6e4CzmMU5goZGj5JAJVTsuZfs:GwPv/7bIYkOEWZ5F4Czmz5goZC+wuZ0

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
5032	hveyji.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2160	PING.EXE

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 5076 wrote to memory of 4204	5076	cea881fb37156b763e95b6f80bcd3f31def1d1beddd9eb25be836e403cad000c.exe	79
PID 5076 wrote to memory of 4204	5076	cea881fb37156b763e95b6f80bcd3f31def1d1beddd9eb25be836e403cad000c.exe	79
PID 5076 wrote to memory of 4204	5076	cea881fb37156b763e95b6f80bcd3f31def1d1beddd9eb25be836e403cad000c.exe	79
PID 4204 wrote to memory of 5032	4204	cmd.exe	81
PID 4204 wrote to memory of 5032	4204	cmd.exe	81
PID 4204 wrote to memory of 5032	4204	cmd.exe	81
PID 4204 wrote to memory of 2160	4204	cmd.exe	82
PID 4204 wrote to memory of 2160	4204	cmd.exe	82
PID 4204 wrote to memory of 2160	4204	cmd.exe	82

C:\Users\Admin\AppData\Local\Temp\cea881fb37156b763e95b6f80bcd3f31def1d1beddd9eb25be836e403cad000c.exe
"C:\Users\Admin\AppData\Local\Temp\cea881fb37156b763e95b6f80bcd3f31def1d1beddd9eb25be836e403cad000c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5076
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crcdfqg.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4204
- - C:\Users\Admin\AppData\Local\Temp\hveyji.exe
    "C:\Users\Admin\AppData\Local\Temp\hveyji.exe"
    3⤵
    - Executes dropped EXE
    PID:5032
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:2160

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\crcdfqg.bat

Filesize
124B

MD5
f29c415a18db80eddfd96843680d01d6

SHA1
8f01a9bad688c40a8fd18e806b4b24c8c835b842

SHA256
591f77a6ed12a8dabff05f64692559733dcb1dfac2ff62466e06c1e5ee27826d

SHA512
5a412cbcab795d424db2cd4147a1ef19067bcba51eda3f29f5018756f28ee4b4dda21a3898e9f2b764cfd6a3c99544fc3d92f6d93e48e9a721eef9829d084743

Download Submit
C:\Users\Admin\AppData\Local\Temp\hveyji.exe

Filesize
168KB

MD5
8e73f646bd3e20957d8931dbb007d611

SHA1
c0e58031f1437d4c65af07de27b32a45a59f53aa

SHA256
f1cb1a3cff023d496dda499daf3be1ced9559a132c2b34076e632f7324d0cf38

SHA512
2feea5208175753fc6414b595472ebf63a505772e4b1b479374158314ef7dd55eb626bf7689ab3cadf39924652f446d9c171bb5705d6af6ef84765eb55b547bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\hveyji.exe

Filesize
168KB

MD5
8e73f646bd3e20957d8931dbb007d611

SHA1
c0e58031f1437d4c65af07de27b32a45a59f53aa

SHA256
f1cb1a3cff023d496dda499daf3be1ced9559a132c2b34076e632f7324d0cf38

SHA512
2feea5208175753fc6414b595472ebf63a505772e4b1b479374158314ef7dd55eb626bf7689ab3cadf39924652f446d9c171bb5705d6af6ef84765eb55b547bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\zjfecu.bat

Filesize
188B

MD5
0f53272142e5131936f5d67f18dd53bd

SHA1
f12a242c33248dc0132daa0bd17ffcae1e7aa554

SHA256
45b12d3087928616936754853ed86b6b0587edd2a56f2a7006fb5e54fa0ff9d8

SHA512
3074c4f930c6fea49785ad344ecdeff07c7cc388d86b202890f244fee9998b2291fb0add94caa6beb6bc55871c74f11b1929b5d294bb8ff77a33570019e03651

Download Submit