ae6bf31b67b9563962480454cbc2761b3a67208e255a2099cd801a4920a32ece

Analysis

max time kernel
143s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 13:23

Target

ae6bf31b67b9563962480454cbc2761b3a67208e255a2099cd801a4920a32ece.exe
Size

443KB
MD5

480519599016d416e0a0135def19b38d
SHA1

18a13c050c06f879aa6d6518672acb55ef1c7e4f
SHA256

ae6bf31b67b9563962480454cbc2761b3a67208e255a2099cd801a4920a32ece
SHA512

4177db1ac1e748d6f9402a0cdb86d84b44da3aaeb96024958b8d6059dca9fd78d2f09b2695e59d9589d713235501d43e60fa6af6d2045860eccd5b832920b72c
SSDEEP

6144:dbXaBWjLoV+qw+x1DsWg/0ET1O8/XHxvxyHu7oi6Uet7EzKnXIr:dnoVC+PDHrET1O8PHxsHu7oibY7EzKn

Score

1^/10

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3368 PING.EXE

pid	process
3368	PING.EXE

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

ae6bf31b67b9563962480454cbc2761b3a67208e255a2099cd801a4920a32ece.execmd.exe

description	pid	process	target process
PID 4992 wrote to memory of 5084	4992	ae6bf31b67b9563962480454cbc2761b3a67208e255a2099cd801a4920a32ece.exe	cmd.exe
PID 4992 wrote to memory of 5084	4992	ae6bf31b67b9563962480454cbc2761b3a67208e255a2099cd801a4920a32ece.exe	cmd.exe
PID 4992 wrote to memory of 5084	4992	ae6bf31b67b9563962480454cbc2761b3a67208e255a2099cd801a4920a32ece.exe	cmd.exe
PID 5084 wrote to memory of 3368	5084	cmd.exe	PING.EXE
PID 5084 wrote to memory of 3368	5084	cmd.exe	PING.EXE
PID 5084 wrote to memory of 3368	5084	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\ae6bf31b67b9563962480454cbc2761b3a67208e255a2099cd801a4920a32ece.exe
"C:\Users\Admin\AppData\Local\Temp\ae6bf31b67b9563962480454cbc2761b3a67208e255a2099cd801a4920a32ece.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4992

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\ae6bf31b67b9563962480454cbc2761b3a67208e255a2099cd801a4920a32ece.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:5084

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
3⤵
- Runs ping.exe
PID:3368

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact