dd6c59be3dc873e98bbf128262b704226ec39b23a5ddfd7f6242f48e32625fe6

Analysis

max time kernel
166s
max time network
209s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 12:55

Target

dd6c59be3dc873e98bbf128262b704226ec39b23a5ddfd7f6242f48e32625fe6.exe
Size

414KB
MD5

54bd653a252026519cab907ce8602626
SHA1

9bec21d8a9b98d1e99495284c258160bcdcffd9a
SHA256

dd6c59be3dc873e98bbf128262b704226ec39b23a5ddfd7f6242f48e32625fe6
SHA512

9933541b74d2cf57e614809f078a04ee48b4ad6a5bad0290ac6407d0cc53f89bf022d3d206a50b99491c32f932cc4ee4d50bbfba6da962d4acabada34f32bf18
SSDEEP

6144:Jafac9NZ9hw/xXXb64b7oCuFA3o26O0kLGAsFJFij1RPOZxq:J4jZ9S5nbHPoCuFH20kLIvFij10Z

Score

1^/10

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

5064 PING.EXE

pid	process
5064	PING.EXE

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

dd6c59be3dc873e98bbf128262b704226ec39b23a5ddfd7f6242f48e32625fe6.execmd.exe

description	pid	process	target process
PID 4896 wrote to memory of 880	4896	dd6c59be3dc873e98bbf128262b704226ec39b23a5ddfd7f6242f48e32625fe6.exe	cmd.exe
PID 4896 wrote to memory of 880	4896	dd6c59be3dc873e98bbf128262b704226ec39b23a5ddfd7f6242f48e32625fe6.exe	cmd.exe
PID 4896 wrote to memory of 880	4896	dd6c59be3dc873e98bbf128262b704226ec39b23a5ddfd7f6242f48e32625fe6.exe	cmd.exe
PID 880 wrote to memory of 5064	880	cmd.exe	PING.EXE
PID 880 wrote to memory of 5064	880	cmd.exe	PING.EXE
PID 880 wrote to memory of 5064	880	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\dd6c59be3dc873e98bbf128262b704226ec39b23a5ddfd7f6242f48e32625fe6.exe
"C:\Users\Admin\AppData\Local\Temp\dd6c59be3dc873e98bbf128262b704226ec39b23a5ddfd7f6242f48e32625fe6.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4896

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\dd6c59be3dc873e98bbf128262b704226ec39b23a5ddfd7f6242f48e32625fe6.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:880

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
3⤵
- Runs ping.exe
PID:5064

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact