bc048d5a20b9ee912540c8fe4335e850f9543accf0fea5bb329e6b08df443eb9

Analysis

max time kernel
57s
max time network
50s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
27-11-2022 18:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bc048d5a20b9ee912540c8fe4335e850f9543accf0fea5bb329e6b08df443eb9.exe
Size

370KB
MD5

258044255eedf3cd76310e0b3ed33619
SHA1

57fcfad5e481842819e7e50fd345920bc8e2ceb0
SHA256

bc048d5a20b9ee912540c8fe4335e850f9543accf0fea5bb329e6b08df443eb9
SHA512

65f35f5362ccd722c57b59e963478936573025433846169290a744620249ffeb0a4f7a8238210e68bf8a9baf838d49d59eb34c9c79b71e7ce80b3459e8af6785
SSDEEP

6144:T8WqoHN9mQRuA8eFpnMJhS6IjTp0tDPPUz05lMlsKONSBjje:FHjmQRXFGS68pI00DMlHVje

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1600	cmd.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
576	PING.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 756 wrote to memory of 1600	756	bc048d5a20b9ee912540c8fe4335e850f9543accf0fea5bb329e6b08df443eb9.exe	31
PID 756 wrote to memory of 1600	756	bc048d5a20b9ee912540c8fe4335e850f9543accf0fea5bb329e6b08df443eb9.exe	31
PID 756 wrote to memory of 1600	756	bc048d5a20b9ee912540c8fe4335e850f9543accf0fea5bb329e6b08df443eb9.exe	31
PID 756 wrote to memory of 1600	756	bc048d5a20b9ee912540c8fe4335e850f9543accf0fea5bb329e6b08df443eb9.exe	31
PID 1600 wrote to memory of 576	1600	cmd.exe	33
PID 1600 wrote to memory of 576	1600	cmd.exe	33
PID 1600 wrote to memory of 576	1600	cmd.exe	33
PID 1600 wrote to memory of 576	1600	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\bc048d5a20b9ee912540c8fe4335e850f9543accf0fea5bb329e6b08df443eb9.exe
"C:\Users\Admin\AppData\Local\Temp\bc048d5a20b9ee912540c8fe4335e850f9543accf0fea5bb329e6b08df443eb9.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:756
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\bc048d5a20b9ee912540c8fe4335e850f9543accf0fea5bb329e6b08df443eb9.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1600
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 3000
    3⤵
    - Runs ping.exe
    PID:576

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/576-59-0x0000000000000000-mapping.dmp

Download
memory/756-54-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/756-55-0x0000000075831000-0x0000000075833000-memory.dmp

Filesize
8KB

Download
memory/756-56-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/756-58-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1600-57-0x0000000000000000-mapping.dmp

Download