a0b602393bf581a9d3fc327968cd68c99dfe00b28956940c27f430abbae2b68e

Analysis

max time kernel
184s
max time network
219s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
29/11/2022, 13:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a0b602393bf581a9d3fc327968cd68c99dfe00b28956940c27f430abbae2b68e.exe
Size

320KB
MD5

8b0955bcd60ddeb59700e888f8e6ac6e
SHA1

0a724784552445ef4563b6cb174fc082f2575cdb
SHA256

a0b602393bf581a9d3fc327968cd68c99dfe00b28956940c27f430abbae2b68e
SHA512

1d728554fe6784ce8431068fbbf24bb0e942b45123b269b537f1b95699151899bbfdce2cf553b96f68d1acf7142bb2cebf0981f57d0ee38d4f69ae0d34c4bbe3
SSDEEP

3072:9vMXc3pmroeqZH+YyJpj5fWdzxdvved+gOBj3WwTsuZfW:9vMXupMYo1fWd9c8gOkwwuZu

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3268	gkfcax.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4544	PING.EXE

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4920 wrote to memory of 1420	4920	a0b602393bf581a9d3fc327968cd68c99dfe00b28956940c27f430abbae2b68e.exe	80
PID 4920 wrote to memory of 1420	4920	a0b602393bf581a9d3fc327968cd68c99dfe00b28956940c27f430abbae2b68e.exe	80
PID 4920 wrote to memory of 1420	4920	a0b602393bf581a9d3fc327968cd68c99dfe00b28956940c27f430abbae2b68e.exe	80
PID 1420 wrote to memory of 3268	1420	cmd.exe	82
PID 1420 wrote to memory of 3268	1420	cmd.exe	82
PID 1420 wrote to memory of 3268	1420	cmd.exe	82
PID 1420 wrote to memory of 4544	1420	cmd.exe	83
PID 1420 wrote to memory of 4544	1420	cmd.exe	83
PID 1420 wrote to memory of 4544	1420	cmd.exe	83

C:\Users\Admin\AppData\Local\Temp\a0b602393bf581a9d3fc327968cd68c99dfe00b28956940c27f430abbae2b68e.exe
"C:\Users\Admin\AppData\Local\Temp\a0b602393bf581a9d3fc327968cd68c99dfe00b28956940c27f430abbae2b68e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4920
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dhurdrx.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1420
- - C:\Users\Admin\AppData\Local\Temp\gkfcax.exe
    "C:\Users\Admin\AppData\Local\Temp\gkfcax.exe"
    3⤵
    - Executes dropped EXE
    PID:3268
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:4544

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dhurdrx.bat

Filesize
124B

MD5
c8d51e6c79874f87e0947c275296bf0b

SHA1
5281b490acb49dd32467dd944edff1f4f14093c8

SHA256
65bff571f5ca887ddc2e9514565cfc56a0bf891b50ff9d5d3ab91ebdee9bf477

SHA512
d7f1ec4443e70a0871f9000a23cc1e3f92fdeeac2f1ef47e8aeab9d951e1a6bd0859d4c84c1aeaddc701c947258e46fa195e61739d2b53e291d51d36108747a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\gkfcax.exe

Filesize
184KB

MD5
7ceb95aae776b4a6c36460ce18acd32c

SHA1
4f6480493912dbedce0ba80e6de6c9f825c99c5e

SHA256
0e2875c31af48bffacb06536a2f2b006516c9725dc51652d03b90f638d5f3e41

SHA512
d8f95c09a0078268760105e4f012fd6b100be38f48cf3eb90e52d877a873e8b4a4e3c1f02da5f6121171b39901c9b8ba62fc807918253c8580a2c097f89f03ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\gkfcax.exe

Filesize
184KB

MD5
7ceb95aae776b4a6c36460ce18acd32c

SHA1
4f6480493912dbedce0ba80e6de6c9f825c99c5e

SHA256
0e2875c31af48bffacb06536a2f2b006516c9725dc51652d03b90f638d5f3e41

SHA512
d8f95c09a0078268760105e4f012fd6b100be38f48cf3eb90e52d877a873e8b4a4e3c1f02da5f6121171b39901c9b8ba62fc807918253c8580a2c097f89f03ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\gwcrpm.bat

Filesize
188B

MD5
7aec7a746505330aef598d882372f5c7

SHA1
299b43194afe63248e6111d981f45f3e7e226ce7

SHA256
740896adde23ace5710ec88c6643a4b42b167818f9e4f59718960441f7d3eae9

SHA512
6eacd87605893f2326b6050d1b94a036de9b1ee067eb1ed2bda0950b6d8adde93a80d89b72280c812d26c1415718122a29413e207500bfad0424478ebad8e8cb

Download Submit