40157564333830d69d9fd091c3c289ff69cd2ce0b8f8007c579ea12bef1fbc44

Analysis

max time kernel
168s
max time network
200s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 14:30

Target

40157564333830d69d9fd091c3c289ff69cd2ce0b8f8007c579ea12bef1fbc44.exe
Size

443KB
MD5

3a3183ff95e66e56030b9b38432beb3a
SHA1

abb689ca44e41c52bf7b7faf80c2d52532d855a6
SHA256

40157564333830d69d9fd091c3c289ff69cd2ce0b8f8007c579ea12bef1fbc44
SHA512

211df3b72e5706f718f2453ddd938de4f18e75538bf57d749cbb6c71d904f2eafac0239b0dadaf1d4e1aac91b5f37a2b53023a41c5a0dda90978c44c31c82c93
SSDEEP

6144:dbXaBWjLoV+qw+x1DsWg/0ET1O8/XHxvxyHu7oi6Uet7EzKdXIr:dnoVC+PDHrET1O8PHxsHu7oibY7EzKd

Score

1^/10

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3620 PING.EXE

pid	process
3620	PING.EXE

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

40157564333830d69d9fd091c3c289ff69cd2ce0b8f8007c579ea12bef1fbc44.execmd.exe

description	pid	process	target process
PID 2168 wrote to memory of 2540	2168	40157564333830d69d9fd091c3c289ff69cd2ce0b8f8007c579ea12bef1fbc44.exe	cmd.exe
PID 2168 wrote to memory of 2540	2168	40157564333830d69d9fd091c3c289ff69cd2ce0b8f8007c579ea12bef1fbc44.exe	cmd.exe
PID 2168 wrote to memory of 2540	2168	40157564333830d69d9fd091c3c289ff69cd2ce0b8f8007c579ea12bef1fbc44.exe	cmd.exe
PID 2540 wrote to memory of 3620	2540	cmd.exe	PING.EXE
PID 2540 wrote to memory of 3620	2540	cmd.exe	PING.EXE
PID 2540 wrote to memory of 3620	2540	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\40157564333830d69d9fd091c3c289ff69cd2ce0b8f8007c579ea12bef1fbc44.exe
"C:\Users\Admin\AppData\Local\Temp\40157564333830d69d9fd091c3c289ff69cd2ce0b8f8007c579ea12bef1fbc44.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2168

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\40157564333830d69d9fd091c3c289ff69cd2ce0b8f8007c579ea12bef1fbc44.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2540

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
3⤵
- Runs ping.exe
PID:3620

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact