498d324d64c9c86db04fc609c2fb937acc916c710316cad1c0ca5607feeb7d4d

Analysis

max time kernel
147s
max time network
181s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 14:24

Target

498d324d64c9c86db04fc609c2fb937acc916c710316cad1c0ca5607feeb7d4d.exe
Size

414KB
MD5

bd71fd1a4f375f68f75772b734a7c8c6
SHA1

ce518eedbb39b97019248b75c39172f0b966ca66
SHA256

498d324d64c9c86db04fc609c2fb937acc916c710316cad1c0ca5607feeb7d4d
SHA512

0045c9bffe07df46f155449e080e6b3b1841f4b0d665676a27d5940638cd063e7fb2d63796aba884e55aec3d5af5a82eb580ffec94cfb8ab7cfef6521ee3c1a2
SSDEEP

6144:rgrtzi+hNe6C2afXdiVmmK2NoXEmtho30nuQdbrJ95Z3y5Szg:rKtl/UhfXdiVQ2SENkntdbrJ95Z3

Score

1^/10

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1728 PING.EXE

pid	process
1728	PING.EXE

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

498d324d64c9c86db04fc609c2fb937acc916c710316cad1c0ca5607feeb7d4d.execmd.exe

description	pid	process	target process
PID 3492 wrote to memory of 3488	3492	498d324d64c9c86db04fc609c2fb937acc916c710316cad1c0ca5607feeb7d4d.exe	cmd.exe
PID 3492 wrote to memory of 3488	3492	498d324d64c9c86db04fc609c2fb937acc916c710316cad1c0ca5607feeb7d4d.exe	cmd.exe
PID 3492 wrote to memory of 3488	3492	498d324d64c9c86db04fc609c2fb937acc916c710316cad1c0ca5607feeb7d4d.exe	cmd.exe
PID 3488 wrote to memory of 1728	3488	cmd.exe	PING.EXE
PID 3488 wrote to memory of 1728	3488	cmd.exe	PING.EXE
PID 3488 wrote to memory of 1728	3488	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\498d324d64c9c86db04fc609c2fb937acc916c710316cad1c0ca5607feeb7d4d.exe
"C:\Users\Admin\AppData\Local\Temp\498d324d64c9c86db04fc609c2fb937acc916c710316cad1c0ca5607feeb7d4d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3492
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\498d324d64c9c86db04fc609c2fb937acc916c710316cad1c0ca5607feeb7d4d.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3488
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 3000
    3⤵
    - Runs ping.exe
    PID:1728

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact