7656d382e9ba9152b9c5c9b61b1c64b5e7e33eae3fc75deec1db7d6eb975e811

Analysis

max time kernel
92s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
29-11-2022 13:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7656d382e9ba9152b9c5c9b61b1c64b5e7e33eae3fc75deec1db7d6eb975e811.exe
Size

280KB
MD5

e73c6f92b6bd3b1a09403ce77747b1ae
SHA1

5d329071f0821c352a0e24203c3677ebcf4196c9
SHA256

7656d382e9ba9152b9c5c9b61b1c64b5e7e33eae3fc75deec1db7d6eb975e811
SHA512

2e25a988790ee5d979b2a12e6f92a7748b90cf8eb2e71e485d96eba2d62716a1aad79fb44ade701fb35969d207027292b33a593e1960044f09724f768f78444d
SSDEEP

3072:FOufEMxUYgomA4Mu4wNmhYJmDW0II+RYyJemUF/A8fuCol2TsuZfZ:FOufEFx7IIIYMmUFnml2wuZx

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4824	hpotvz.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1448	PING.EXE

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4396 wrote to memory of 384	4396	7656d382e9ba9152b9c5c9b61b1c64b5e7e33eae3fc75deec1db7d6eb975e811.exe	80
PID 4396 wrote to memory of 384	4396	7656d382e9ba9152b9c5c9b61b1c64b5e7e33eae3fc75deec1db7d6eb975e811.exe	80
PID 4396 wrote to memory of 384	4396	7656d382e9ba9152b9c5c9b61b1c64b5e7e33eae3fc75deec1db7d6eb975e811.exe	80
PID 384 wrote to memory of 4824	384	cmd.exe	82
PID 384 wrote to memory of 4824	384	cmd.exe	82
PID 384 wrote to memory of 4824	384	cmd.exe	82
PID 384 wrote to memory of 1448	384	cmd.exe	83
PID 384 wrote to memory of 1448	384	cmd.exe	83
PID 384 wrote to memory of 1448	384	cmd.exe	83

C:\Users\Admin\AppData\Local\Temp\7656d382e9ba9152b9c5c9b61b1c64b5e7e33eae3fc75deec1db7d6eb975e811.exe
"C:\Users\Admin\AppData\Local\Temp\7656d382e9ba9152b9c5c9b61b1c64b5e7e33eae3fc75deec1db7d6eb975e811.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4396
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pupohec.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:384
- - C:\Users\Admin\AppData\Local\Temp\hpotvz.exe
    "C:\Users\Admin\AppData\Local\Temp\hpotvz.exe"
    3⤵
    - Executes dropped EXE
    PID:4824
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:1448

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hpotvz.exe

Filesize
180KB

MD5
bc0ba36b6fa6ee2955742c2beab4bfa8

SHA1
379f574a9268de55c9abc1d5ef5cb13bea38c886

SHA256
da0ed46ff96bd0564fc48be1508c9295b50e6b5e773ecee0f192cf0ba194a271

SHA512
7a979c95deb8caf93c75305eb83b593d12f4ac2863ec1f871fc589a64500d0c640fa6bcb27a3bcc4132064872a8dd27ab62bd1f6bb6a64fd90354499f7d177d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\hpotvz.exe

Filesize
180KB

MD5
bc0ba36b6fa6ee2955742c2beab4bfa8

SHA1
379f574a9268de55c9abc1d5ef5cb13bea38c886

SHA256
da0ed46ff96bd0564fc48be1508c9295b50e6b5e773ecee0f192cf0ba194a271

SHA512
7a979c95deb8caf93c75305eb83b593d12f4ac2863ec1f871fc589a64500d0c640fa6bcb27a3bcc4132064872a8dd27ab62bd1f6bb6a64fd90354499f7d177d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\mktzws.bat

Filesize
188B

MD5
86f88dae1c823fc4dac029dabbd2ffc0

SHA1
0d5ea89b73b78891b952aa7b3fd3ec26d190c41b

SHA256
9df6089ae532fb18fe1803e4b1435a18238c230b50a2c4cc2fbf3479349fcdb2

SHA512
40ab083d7e6220e887a243dd4886f43083e6bdf4a53a38ada0e3e6c7f29fa5fd5625ce54b39d4d0f693aafeb0dd3a9e0c05e5a8923abdada9ee156f91535cad5

Download Submit
C:\Users\Admin\AppData\Local\Temp\pupohec.bat

Filesize
124B

MD5
f0748a47eb3da0563e61d55af657a8b8

SHA1
152c452f209abd0ab1b87ddf10c712ffa48cb3a7

SHA256
13aad8d52f7205bf55ed99bfc408b95955617e417d13ffc2271335689c5e01f8

SHA512
3d5faa686de8d8d1efc326452b7281c0ed699f795b08c19fa69deb69ddae71ac9e54346ff8e71dec37a84823087b73ad20e18bfce00ff11a6da5ec13b14f9775

Download Submit
memory/384-132-0x0000000000000000-mapping.dmp

Download
memory/1448-138-0x0000000000000000-mapping.dmp

Download
memory/4824-135-0x0000000000000000-mapping.dmp

Download