cbaf1f229bce0d378b3f26e4dd9a21db58c244b4e16e838c769f2810438e5a89

Analysis

max time kernel
45s
max time network
50s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
03-12-2022 14:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cbaf1f229bce0d378b3f26e4dd9a21db58c244b4e16e838c769f2810438e5a89.exe
Size

414KB
MD5

49efc1e75df1ea6fea40efb2fda4c50a
SHA1

f9c7843bf25562c35b023b208e2567ef144368da
SHA256

cbaf1f229bce0d378b3f26e4dd9a21db58c244b4e16e838c769f2810438e5a89
SHA512

14a0d44a02a597179ec08dbb1aa9db3e07df35b7d3e09f49a24acb2d802b004b3e54119fb7fdfd56ea2668498d2d38b34675e8ef3b79750a7fdd040614c77bc7
SSDEEP

6144:yJ+1wd47wBypW8/0HJP0zI+7oaX127LRpABa4I031DbUbxgFsZX5FRvIHxRTlDD:Dwd47oypWmC8wfvXG31D9sZpFKhDD

Score

4^/10

Malware Config

Signatures

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Temps.bat	cbaf1f229bce0d378b3f26e4dd9a21db58c244b4e16e838c769f2810438e5a89.exe
File opened for modification	C:\Program Files\Common Files\Temps.bat	cbaf1f229bce0d378b3f26e4dd9a21db58c244b4e16e838c769f2810438e5a89.exe

Runs ping.exe 1 TTPs 25 IoCs

Remote System Discovery

T1018

pid	Process
1768	PING.EXE
1576	PING.EXE
760	PING.EXE
1088	PING.EXE
892	PING.EXE
1248	PING.EXE
1496	PING.EXE
1664	PING.EXE
864	PING.EXE
1672	PING.EXE
1644	PING.EXE
932	PING.EXE
1892	PING.EXE
544	PING.EXE
1556	PING.EXE
1568	PING.EXE
1524	PING.EXE
688	PING.EXE
800	PING.EXE
1792	PING.EXE
1072	PING.EXE
1492	PING.EXE
664	PING.EXE
1332	PING.EXE
1660	PING.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1368 wrote to memory of 1700	1368	cbaf1f229bce0d378b3f26e4dd9a21db58c244b4e16e838c769f2810438e5a89.exe	27
PID 1368 wrote to memory of 1700	1368	cbaf1f229bce0d378b3f26e4dd9a21db58c244b4e16e838c769f2810438e5a89.exe	27
PID 1368 wrote to memory of 1700	1368	cbaf1f229bce0d378b3f26e4dd9a21db58c244b4e16e838c769f2810438e5a89.exe	27
PID 1368 wrote to memory of 1700	1368	cbaf1f229bce0d378b3f26e4dd9a21db58c244b4e16e838c769f2810438e5a89.exe	27
PID 1700 wrote to memory of 940	1700	cmd.exe	29
PID 1700 wrote to memory of 940	1700	cmd.exe	29
PID 1700 wrote to memory of 940	1700	cmd.exe	29
PID 1700 wrote to memory of 940	1700	cmd.exe	29
PID 1700 wrote to memory of 892	1700	cmd.exe	30
PID 1700 wrote to memory of 892	1700	cmd.exe	30
PID 1700 wrote to memory of 892	1700	cmd.exe	30
PID 1700 wrote to memory of 892	1700	cmd.exe	30
PID 1700 wrote to memory of 1644	1700	cmd.exe	31
PID 1700 wrote to memory of 1644	1700	cmd.exe	31
PID 1700 wrote to memory of 1644	1700	cmd.exe	31
PID 1700 wrote to memory of 1644	1700	cmd.exe	31
PID 1700 wrote to memory of 932	1700	cmd.exe	32
PID 1700 wrote to memory of 932	1700	cmd.exe	32
PID 1700 wrote to memory of 932	1700	cmd.exe	32
PID 1700 wrote to memory of 932	1700	cmd.exe	32
PID 1700 wrote to memory of 1248	1700	cmd.exe	33
PID 1700 wrote to memory of 1248	1700	cmd.exe	33
PID 1700 wrote to memory of 1248	1700	cmd.exe	33
PID 1700 wrote to memory of 1248	1700	cmd.exe	33
PID 1700 wrote to memory of 1492	1700	cmd.exe	34
PID 1700 wrote to memory of 1492	1700	cmd.exe	34
PID 1700 wrote to memory of 1492	1700	cmd.exe	34
PID 1700 wrote to memory of 1492	1700	cmd.exe	34
PID 1700 wrote to memory of 664	1700	cmd.exe	35
PID 1700 wrote to memory of 664	1700	cmd.exe	35
PID 1700 wrote to memory of 664	1700	cmd.exe	35
PID 1700 wrote to memory of 664	1700	cmd.exe	35
PID 1700 wrote to memory of 688	1700	cmd.exe	36
PID 1700 wrote to memory of 688	1700	cmd.exe	36
PID 1700 wrote to memory of 688	1700	cmd.exe	36
PID 1700 wrote to memory of 688	1700	cmd.exe	36
PID 1700 wrote to memory of 1332	1700	cmd.exe	37
PID 1700 wrote to memory of 1332	1700	cmd.exe	37
PID 1700 wrote to memory of 1332	1700	cmd.exe	37
PID 1700 wrote to memory of 1332	1700	cmd.exe	37
PID 1700 wrote to memory of 1496	1700	cmd.exe	38
PID 1700 wrote to memory of 1496	1700	cmd.exe	38
PID 1700 wrote to memory of 1496	1700	cmd.exe	38
PID 1700 wrote to memory of 1496	1700	cmd.exe	38
PID 1700 wrote to memory of 1664	1700	cmd.exe	39
PID 1700 wrote to memory of 1664	1700	cmd.exe	39
PID 1700 wrote to memory of 1664	1700	cmd.exe	39
PID 1700 wrote to memory of 1664	1700	cmd.exe	39
PID 1700 wrote to memory of 1660	1700	cmd.exe	40
PID 1700 wrote to memory of 1660	1700	cmd.exe	40
PID 1700 wrote to memory of 1660	1700	cmd.exe	40
PID 1700 wrote to memory of 1660	1700	cmd.exe	40
PID 1700 wrote to memory of 1768	1700	cmd.exe	41
PID 1700 wrote to memory of 1768	1700	cmd.exe	41
PID 1700 wrote to memory of 1768	1700	cmd.exe	41
PID 1700 wrote to memory of 1768	1700	cmd.exe	41
PID 1700 wrote to memory of 800	1700	cmd.exe	42
PID 1700 wrote to memory of 800	1700	cmd.exe	42
PID 1700 wrote to memory of 800	1700	cmd.exe	42
PID 1700 wrote to memory of 800	1700	cmd.exe	42
PID 1700 wrote to memory of 1892	1700	cmd.exe	43
PID 1700 wrote to memory of 1892	1700	cmd.exe	43
PID 1700 wrote to memory of 1892	1700	cmd.exe	43
PID 1700 wrote to memory of 1892	1700	cmd.exe	43

C:\Users\Admin\AppData\Local\Temp\cbaf1f229bce0d378b3f26e4dd9a21db58c244b4e16e838c769f2810438e5a89.exe
"C:\Users\Admin\AppData\Local\Temp\cbaf1f229bce0d378b3f26e4dd9a21db58c244b4e16e838c769f2810438e5a89.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1368
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\PROGRA~1\COMMON~1\temps.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1700
- - C:\Windows\SysWOW64\mode.com
    mode con cols=60 lines=35
    3⤵
    PID:940
- - C:\Windows\SysWOW64\PING.EXE
    ping /n 0 127.1
    3⤵
    - Runs ping.exe
    PID:892
- - C:\Windows\SysWOW64\PING.EXE
    ping /n 0 127.1
    3⤵
    - Runs ping.exe
    PID:1644
- - C:\Windows\SysWOW64\PING.EXE
    ping /n 0 127.1
    3⤵
    - Runs ping.exe
    PID:932
- - C:\Windows\SysWOW64\PING.EXE
    ping /n 0 127.1
    3⤵
    - Runs ping.exe
    PID:1248
- - C:\Windows\SysWOW64\PING.EXE
    ping /n 0 127.1
    3⤵
    - Runs ping.exe
    PID:1492
- - C:\Windows\SysWOW64\PING.EXE
    ping /n 0 127.1
    3⤵
    - Runs ping.exe
    PID:664
- - C:\Windows\SysWOW64\PING.EXE
    ping /n 0 127.1
    3⤵
    - Runs ping.exe
    PID:688
- - C:\Windows\SysWOW64\PING.EXE
    ping /n 0 127.1
    3⤵
    - Runs ping.exe
    PID:1332
- - C:\Windows\SysWOW64\PING.EXE
    ping /n 0 127.1
    3⤵
    - Runs ping.exe
    PID:1496
- - C:\Windows\SysWOW64\PING.EXE
    ping /n 0 127.1
    3⤵
    - Runs ping.exe
    PID:1664
- - C:\Windows\SysWOW64\PING.EXE
    ping /n 0 127.1
    3⤵
    - Runs ping.exe
    PID:1660
- - C:\Windows\SysWOW64\PING.EXE
    ping /n 0 127.1
    3⤵
    - Runs ping.exe
    PID:1768
- - C:\Windows\SysWOW64\PING.EXE
    ping /n 0 127.1
    3⤵
    - Runs ping.exe
    PID:800
- - C:\Windows\SysWOW64\PING.EXE
    ping /n 0 127.1
    3⤵
    - Runs ping.exe
    PID:1892
- - C:\Windows\SysWOW64\PING.EXE
    ping /n 0 127.1
    3⤵
    - Runs ping.exe
    PID:1792
- - C:\Windows\SysWOW64\PING.EXE
    ping /n 0 127.1
    3⤵
    - Runs ping.exe
    PID:1072
- - C:\Windows\SysWOW64\PING.EXE
    ping /n 0 127.1
    3⤵
    - Runs ping.exe
    PID:544
- - C:\Windows\SysWOW64\PING.EXE
    ping /n 0 127.1
    3⤵
    - Runs ping.exe
    PID:1556
- - C:\Windows\SysWOW64\PING.EXE
    ping /n 0 127.1
    3⤵
    - Runs ping.exe
    PID:1576
- - C:\Windows\SysWOW64\PING.EXE
    ping /n 0 127.1
    3⤵
    - Runs ping.exe
    PID:760
- - C:\Windows\SysWOW64\PING.EXE
    ping /n 0 127.1
    3⤵
    - Runs ping.exe
    PID:1088
- - C:\Windows\SysWOW64\PING.EXE
    ping /n 0 127.1
    3⤵
    - Runs ping.exe
    PID:1568
- - C:\Windows\SysWOW64\PING.EXE
    ping /n 0 127.1
    3⤵
    - Runs ping.exe
    PID:1524
- - C:\Windows\SysWOW64\PING.EXE
    ping /n 0 127.1
    3⤵
    - Runs ping.exe
    PID:1672
- - C:\Windows\SysWOW64\PING.EXE
    ping /n 0 127.1
    3⤵
    - Runs ping.exe
    PID:864

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~1\COMMON~1\Temps.bat

Filesize
3KB

MD5
6e3d74ad6eaf660026bc8acf76c95673

SHA1
4d1d9bc80e65ef4c675f8ce7fe64eefba88ea1cf

SHA256
cd23638db56b94f587cbbda0b488d3a4da018bb16b3a318ff716f915906f1f0f

SHA512
7f990f638c349b3760b90756ef4bf48ea8fbc527ab34c2ecc3e85df7c2f0cf6c0beb01530e57b24c4c3df14ba1671c34f9230e25619777aed3584c4e1165a54c

Download Submit
memory/544-73-0x0000000000000000-mapping.dmp

Download
memory/664-62-0x0000000000000000-mapping.dmp

Download
memory/688-63-0x0000000000000000-mapping.dmp

Download
memory/760-76-0x0000000000000000-mapping.dmp

Download
memory/800-69-0x0000000000000000-mapping.dmp

Download
memory/864-81-0x0000000000000000-mapping.dmp

Download
memory/892-57-0x0000000000000000-mapping.dmp

Download
memory/932-59-0x0000000000000000-mapping.dmp

Download
memory/940-56-0x0000000000000000-mapping.dmp

Download
memory/1072-72-0x0000000000000000-mapping.dmp

Download
memory/1088-77-0x0000000000000000-mapping.dmp

Download
memory/1248-60-0x0000000000000000-mapping.dmp

Download
memory/1332-64-0x0000000000000000-mapping.dmp

Download
memory/1492-61-0x0000000000000000-mapping.dmp

Download
memory/1496-65-0x0000000000000000-mapping.dmp

Download
memory/1524-79-0x0000000000000000-mapping.dmp

Download
memory/1556-74-0x0000000000000000-mapping.dmp

Download
memory/1568-78-0x0000000000000000-mapping.dmp

Download
memory/1576-75-0x0000000000000000-mapping.dmp

Download
memory/1644-58-0x0000000000000000-mapping.dmp

Download
memory/1660-67-0x0000000000000000-mapping.dmp

Download
memory/1664-66-0x0000000000000000-mapping.dmp

Download
memory/1672-80-0x0000000000000000-mapping.dmp

Download
memory/1700-54-0x0000000000000000-mapping.dmp

Download
memory/1768-68-0x0000000000000000-mapping.dmp

Download
memory/1792-71-0x0000000000000000-mapping.dmp

Download
memory/1892-70-0x0000000000000000-mapping.dmp

Download