aaae0bb8978d1e2e9555442b0dfab8f73936c461e678f71eee11120abd4d6cfc

Analysis

max time kernel
167s
max time network
182s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29/11/2022, 13:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aaae0bb8978d1e2e9555442b0dfab8f73936c461e678f71eee11120abd4d6cfc.exe
Size

272KB
MD5

508c4c61eb4973549529e385604a110a
SHA1

6fd10a6b43753acdea25f7de6a6a2a07b9558f14
SHA256

aaae0bb8978d1e2e9555442b0dfab8f73936c461e678f71eee11120abd4d6cfc
SHA512

ace05506c6a67c7e42f20c7add07d0d1b29ff53c5b99f0657f4deed5ad6520ede649ac291c2431eaec881d15f36f346ed08245a4764e867e5f0384e092a86931
SSDEEP

3072:AeJecgkgegoBhUq8yUZFWEVsS+bnARWiGi9DB3KLqL2LzJQxdPfA:AeJeGgy2ZEEVsS+MR4i9DB3KZLz6PI

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
508	slirwd.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4260	PING.EXE

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 3908	1672	aaae0bb8978d1e2e9555442b0dfab8f73936c461e678f71eee11120abd4d6cfc.exe	76
PID 1672 wrote to memory of 3908	1672	aaae0bb8978d1e2e9555442b0dfab8f73936c461e678f71eee11120abd4d6cfc.exe	76
PID 1672 wrote to memory of 3908	1672	aaae0bb8978d1e2e9555442b0dfab8f73936c461e678f71eee11120abd4d6cfc.exe	76
PID 3908 wrote to memory of 508	3908	cmd.exe	78
PID 3908 wrote to memory of 508	3908	cmd.exe	78
PID 3908 wrote to memory of 508	3908	cmd.exe	78
PID 3908 wrote to memory of 4260	3908	cmd.exe	79
PID 3908 wrote to memory of 4260	3908	cmd.exe	79
PID 3908 wrote to memory of 4260	3908	cmd.exe	79

C:\Users\Admin\AppData\Local\Temp\aaae0bb8978d1e2e9555442b0dfab8f73936c461e678f71eee11120abd4d6cfc.exe
"C:\Users\Admin\AppData\Local\Temp\aaae0bb8978d1e2e9555442b0dfab8f73936c461e678f71eee11120abd4d6cfc.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uarwbir.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3908
- - C:\Users\Admin\AppData\Local\Temp\slirwd.exe
    "C:\Users\Admin\AppData\Local\Temp\slirwd.exe"
    3⤵
    - Executes dropped EXE
    PID:508
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:4260

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\slirwd.exe

Filesize
180KB

MD5
5fa5650d652e220bd550376f23657db1

SHA1
f16995a80e06c87ce48328b9121d370e2199574b

SHA256
0bff5fa75f6139eeb2819dede2ba4c46095433a86b9f81471fab9452dc315932

SHA512
fc5c12d66778cb0ca0afc4ed969644cf0663b110e9232af8261290781fc938289dd8ebe43cde8a9ee957aa3ee7981a93160bf7005813597aef014b58c2f86223

Download Submit
C:\Users\Admin\AppData\Local\Temp\slirwd.exe

Filesize
180KB

MD5
5fa5650d652e220bd550376f23657db1

SHA1
f16995a80e06c87ce48328b9121d370e2199574b

SHA256
0bff5fa75f6139eeb2819dede2ba4c46095433a86b9f81471fab9452dc315932

SHA512
fc5c12d66778cb0ca0afc4ed969644cf0663b110e9232af8261290781fc938289dd8ebe43cde8a9ee957aa3ee7981a93160bf7005813597aef014b58c2f86223

Download Submit
C:\Users\Admin\AppData\Local\Temp\uarwbir.bat

Filesize
124B

MD5
e21c7f8cf8d671266a09b3bee61ff854

SHA1
5552e3222231c23ece20d68dd426c877d809a087

SHA256
3028c4c132953f99d2ea0b1a0c85517a516ece08ef357edf93c34eaa1faaa405

SHA512
1dbf5803b66a653d15d9e62b0c68af286cd6c4bf78531d733fc18fb9956f62136e3f1d3d2afb745cda998550815240cf3c2b1e619201b0f63ab14c69644bec47

Download Submit
C:\Users\Admin\AppData\Local\Temp\zxhogt.bat

Filesize
188B

MD5
3ef208932e2ad9e704a0127d555f692a

SHA1
95d847e1992b61526218315f66fed038342d2448

SHA256
29544f84962f9d371c9f5ab1fefc58d080835dab45fe43456f460802d0807632

SHA512
742786774a9aab01752dc99716f5b5fbd3093ab6fd688f4f34433d4620be7940e0830a6207c27bfdf52c097a1edd409db90ad4d1f6827e7cb161a572e3cb5d4f

Download Submit