290529e31b6d12fd68b000e0113d966bea444d3ccf17e0cc433aa53d8a8301f0

Analysis

max time kernel
189s
max time network
221s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 14:43

Target

290529e31b6d12fd68b000e0113d966bea444d3ccf17e0cc433aa53d8a8301f0.exe
Size

551KB
MD5

f52e322067f40aaf53116a67fae43788
SHA1

0504b0ccc1283e867c4a4358fbdfd44080ce63c7
SHA256

290529e31b6d12fd68b000e0113d966bea444d3ccf17e0cc433aa53d8a8301f0
SHA512

2f4002b0c53454dce0a28e0b33196970a649bc5fece6dc967459754651235f5b397488527fe885ab100fbde94fa86b8cc2ce6d8ff81726168ceaf5b9ba892631
SSDEEP

12288:NmQQ1UDqCJUdBOkuLZSyEtpmZ4X02syHDCqgv7bTd:7QerJiYPLZS73OZKtA7V

Score

1^/10

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3336 PING.EXE

pid	process
3336	PING.EXE

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

290529e31b6d12fd68b000e0113d966bea444d3ccf17e0cc433aa53d8a8301f0.execmd.exe

description	pid	process	target process
PID 4324 wrote to memory of 1480	4324	290529e31b6d12fd68b000e0113d966bea444d3ccf17e0cc433aa53d8a8301f0.exe	cmd.exe
PID 4324 wrote to memory of 1480	4324	290529e31b6d12fd68b000e0113d966bea444d3ccf17e0cc433aa53d8a8301f0.exe	cmd.exe
PID 4324 wrote to memory of 1480	4324	290529e31b6d12fd68b000e0113d966bea444d3ccf17e0cc433aa53d8a8301f0.exe	cmd.exe
PID 1480 wrote to memory of 3336	1480	cmd.exe	PING.EXE
PID 1480 wrote to memory of 3336	1480	cmd.exe	PING.EXE
PID 1480 wrote to memory of 3336	1480	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\290529e31b6d12fd68b000e0113d966bea444d3ccf17e0cc433aa53d8a8301f0.exe
"C:\Users\Admin\AppData\Local\Temp\290529e31b6d12fd68b000e0113d966bea444d3ccf17e0cc433aa53d8a8301f0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4324

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\290529e31b6d12fd68b000e0113d966bea444d3ccf17e0cc433aa53d8a8301f0.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1480

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
3⤵
- Runs ping.exe
PID:3336

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact