73f8a916e2cdcb3c50d79c72c367b3cf5022e710e631330a0c4ac3d8a0e7fd1d

Analysis

max time kernel
116s
max time network
172s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29/11/2022, 13:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73f8a916e2cdcb3c50d79c72c367b3cf5022e710e631330a0c4ac3d8a0e7fd1d.exe
Size

284KB
MD5

de1d92b79fa0c9bebec5bb2aefa44a45
SHA1

45c0469b05d822958dd8de5f1ff12df6b584975c
SHA256

73f8a916e2cdcb3c50d79c72c367b3cf5022e710e631330a0c4ac3d8a0e7fd1d
SHA512

38d60e9b9bea6fd1d13e38f768e51cf3048ed0903f1fd5ad54b577134f3aea26a331ecba53228d690e1499ec7d91ec49157db677e5a21b35987774b3926aa493
SSDEEP

3072:/33hMXcip5o3zo/I1nc+6lBqZv/R0GEZFmp4cArdmA8WlK1slURMGTsuZft:/HhMXhMzYu6lBnG4BGGK1tXwuZl

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4400	kkgtca.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3740	PING.EXE

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3796 wrote to memory of 4932	3796	73f8a916e2cdcb3c50d79c72c367b3cf5022e710e631330a0c4ac3d8a0e7fd1d.exe	80
PID 3796 wrote to memory of 4932	3796	73f8a916e2cdcb3c50d79c72c367b3cf5022e710e631330a0c4ac3d8a0e7fd1d.exe	80
PID 3796 wrote to memory of 4932	3796	73f8a916e2cdcb3c50d79c72c367b3cf5022e710e631330a0c4ac3d8a0e7fd1d.exe	80
PID 4932 wrote to memory of 4400	4932	cmd.exe	82
PID 4932 wrote to memory of 4400	4932	cmd.exe	82
PID 4932 wrote to memory of 4400	4932	cmd.exe	82
PID 4932 wrote to memory of 3740	4932	cmd.exe	83
PID 4932 wrote to memory of 3740	4932	cmd.exe	83
PID 4932 wrote to memory of 3740	4932	cmd.exe	83

C:\Users\Admin\AppData\Local\Temp\73f8a916e2cdcb3c50d79c72c367b3cf5022e710e631330a0c4ac3d8a0e7fd1d.exe
"C:\Users\Admin\AppData\Local\Temp\73f8a916e2cdcb3c50d79c72c367b3cf5022e710e631330a0c4ac3d8a0e7fd1d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3796
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njtmilo.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4932
- - C:\Users\Admin\AppData\Local\Temp\kkgtca.exe
    "C:\Users\Admin\AppData\Local\Temp\kkgtca.exe"
    3⤵
    - Executes dropped EXE
    PID:4400
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:3740

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\kkgtca.exe

Filesize
184KB

MD5
08871bf3f715ba0c5fabdc66c177b817

SHA1
5b7f1704f6c2b11f167637bfe5861efec7491d8e

SHA256
5d1af63361ff981e8ce1fd2fdb515027d0f194e62e391a5cb964bc775f2081e6

SHA512
1d570f226ab032002ffcfdf4a6673a8ca2aef09473e2094019243281cc41848bfcac32ee18720fa8509d2a70eb0ab26a44f161b87610df8348a36bc45bcd543e

Download Submit
C:\Users\Admin\AppData\Local\Temp\kkgtca.exe

Filesize
184KB

MD5
08871bf3f715ba0c5fabdc66c177b817

SHA1
5b7f1704f6c2b11f167637bfe5861efec7491d8e

SHA256
5d1af63361ff981e8ce1fd2fdb515027d0f194e62e391a5cb964bc775f2081e6

SHA512
1d570f226ab032002ffcfdf4a6673a8ca2aef09473e2094019243281cc41848bfcac32ee18720fa8509d2a70eb0ab26a44f161b87610df8348a36bc45bcd543e

Download Submit
C:\Users\Admin\AppData\Local\Temp\njtmilo.bat

Filesize
124B

MD5
73d0be8b15c8405db6f9891cba3bb54f

SHA1
00348811885097e6953bb4d61cbdf55ca8fed0e2

SHA256
3cca2aa162daeef71f20cbb7147d351ff239e2f27689935965feaeb0f1ebab98

SHA512
bf23a559e4176fd5b9b159a12caccb66d0a4ec2f4248c0bd7cea1c56754261e1eb26082d98defa0b8983434493922f824d753fad0850114a943ae4523351c935

Download Submit
C:\Users\Admin\AppData\Local\Temp\ofghdc.bat

Filesize
188B

MD5
aaea0b5ccc74042598e477e85dc8023a

SHA1
ee104393f1bdb641fda92c197b8a03367c1158da

SHA256
3ec8df5f70fc8c3911efe60c350148ee6f0397709b349ae476054eb79546b21b

SHA512
a5c12f2ca7607f6fba41f4c01c83b6daf5fc6c29924ab849832145e47dff9a0011a63cdd83472438224d22e70e556cb217c039b6580884c6de7b51266f3ff232

Download Submit