cbaf1f229bce0d378b3f26e4dd9a21db58c244b4e16e838c769f2810438e5a89

Analysis

max time kernel
112s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2022 14:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cbaf1f229bce0d378b3f26e4dd9a21db58c244b4e16e838c769f2810438e5a89.exe
Size

414KB
MD5

49efc1e75df1ea6fea40efb2fda4c50a
SHA1

f9c7843bf25562c35b023b208e2567ef144368da
SHA256

cbaf1f229bce0d378b3f26e4dd9a21db58c244b4e16e838c769f2810438e5a89
SHA512

14a0d44a02a597179ec08dbb1aa9db3e07df35b7d3e09f49a24acb2d802b004b3e54119fb7fdfd56ea2668498d2d38b34675e8ef3b79750a7fdd040614c77bc7
SSDEEP

6144:yJ+1wd47wBypW8/0HJP0zI+7oaX127LRpABa4I031DbUbxgFsZX5FRvIHxRTlDD:Dwd47oypWmC8wfvXG31D9sZpFKhDD

Score

4^/10

Malware Config

Signatures

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Temps.bat	cbaf1f229bce0d378b3f26e4dd9a21db58c244b4e16e838c769f2810438e5a89.exe
File opened for modification	C:\Program Files\Common Files\Temps.bat	cbaf1f229bce0d378b3f26e4dd9a21db58c244b4e16e838c769f2810438e5a89.exe

Runs ping.exe 1 TTPs 25 IoCs

Remote System Discovery

T1018

pid	Process
4400	PING.EXE
1108	PING.EXE
4300	PING.EXE
4292	PING.EXE
4620	PING.EXE
3200	PING.EXE
4304	PING.EXE
1528	PING.EXE
2328	PING.EXE
5012	PING.EXE
1364	PING.EXE
1344	PING.EXE
4080	PING.EXE
4552	PING.EXE
1676	PING.EXE
1124	PING.EXE
2440	PING.EXE
1480	PING.EXE
240	PING.EXE
4348	PING.EXE
3060	PING.EXE
216	PING.EXE
1336	PING.EXE
812	PING.EXE
4236	PING.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5088 wrote to memory of 1288	5088	cbaf1f229bce0d378b3f26e4dd9a21db58c244b4e16e838c769f2810438e5a89.exe	79
PID 5088 wrote to memory of 1288	5088	cbaf1f229bce0d378b3f26e4dd9a21db58c244b4e16e838c769f2810438e5a89.exe	79
PID 5088 wrote to memory of 1288	5088	cbaf1f229bce0d378b3f26e4dd9a21db58c244b4e16e838c769f2810438e5a89.exe	79
PID 1288 wrote to memory of 4660	1288	cmd.exe	81
PID 1288 wrote to memory of 4660	1288	cmd.exe	81
PID 1288 wrote to memory of 4660	1288	cmd.exe	81
PID 1288 wrote to memory of 1676	1288	cmd.exe	82
PID 1288 wrote to memory of 1676	1288	cmd.exe	82
PID 1288 wrote to memory of 1676	1288	cmd.exe	82
PID 1288 wrote to memory of 812	1288	cmd.exe	83
PID 1288 wrote to memory of 812	1288	cmd.exe	83
PID 1288 wrote to memory of 812	1288	cmd.exe	83
PID 1288 wrote to memory of 4236	1288	cmd.exe	84
PID 1288 wrote to memory of 4236	1288	cmd.exe	84
PID 1288 wrote to memory of 4236	1288	cmd.exe	84
PID 1288 wrote to memory of 1124	1288	cmd.exe	85
PID 1288 wrote to memory of 1124	1288	cmd.exe	85
PID 1288 wrote to memory of 1124	1288	cmd.exe	85
PID 1288 wrote to memory of 2328	1288	cmd.exe	86
PID 1288 wrote to memory of 2328	1288	cmd.exe	86
PID 1288 wrote to memory of 2328	1288	cmd.exe	86
PID 1288 wrote to memory of 4400	1288	cmd.exe	87
PID 1288 wrote to memory of 4400	1288	cmd.exe	87
PID 1288 wrote to memory of 4400	1288	cmd.exe	87
PID 1288 wrote to memory of 4304	1288	cmd.exe	88
PID 1288 wrote to memory of 4304	1288	cmd.exe	88
PID 1288 wrote to memory of 4304	1288	cmd.exe	88
PID 1288 wrote to memory of 1528	1288	cmd.exe	89
PID 1288 wrote to memory of 1528	1288	cmd.exe	89
PID 1288 wrote to memory of 1528	1288	cmd.exe	89
PID 1288 wrote to memory of 5012	1288	cmd.exe	90
PID 1288 wrote to memory of 5012	1288	cmd.exe	90
PID 1288 wrote to memory of 5012	1288	cmd.exe	90
PID 1288 wrote to memory of 1364	1288	cmd.exe	91
PID 1288 wrote to memory of 1364	1288	cmd.exe	91
PID 1288 wrote to memory of 1364	1288	cmd.exe	91
PID 1288 wrote to memory of 1344	1288	cmd.exe	92
PID 1288 wrote to memory of 1344	1288	cmd.exe	92
PID 1288 wrote to memory of 1344	1288	cmd.exe	92
PID 1288 wrote to memory of 4080	1288	cmd.exe	93
PID 1288 wrote to memory of 4080	1288	cmd.exe	93
PID 1288 wrote to memory of 4080	1288	cmd.exe	93
PID 1288 wrote to memory of 3060	1288	cmd.exe	94
PID 1288 wrote to memory of 3060	1288	cmd.exe	94
PID 1288 wrote to memory of 3060	1288	cmd.exe	94
PID 1288 wrote to memory of 4300	1288	cmd.exe	95
PID 1288 wrote to memory of 4300	1288	cmd.exe	95
PID 1288 wrote to memory of 4300	1288	cmd.exe	95
PID 1288 wrote to memory of 4292	1288	cmd.exe	96
PID 1288 wrote to memory of 4292	1288	cmd.exe	96
PID 1288 wrote to memory of 4292	1288	cmd.exe	96
PID 1288 wrote to memory of 1108	1288	cmd.exe	97
PID 1288 wrote to memory of 1108	1288	cmd.exe	97
PID 1288 wrote to memory of 1108	1288	cmd.exe	97
PID 1288 wrote to memory of 4620	1288	cmd.exe	98
PID 1288 wrote to memory of 4620	1288	cmd.exe	98
PID 1288 wrote to memory of 4620	1288	cmd.exe	98
PID 1288 wrote to memory of 3200	1288	cmd.exe	99
PID 1288 wrote to memory of 3200	1288	cmd.exe	99
PID 1288 wrote to memory of 3200	1288	cmd.exe	99
PID 1288 wrote to memory of 4552	1288	cmd.exe	100
PID 1288 wrote to memory of 4552	1288	cmd.exe	100
PID 1288 wrote to memory of 4552	1288	cmd.exe	100
PID 1288 wrote to memory of 240	1288	cmd.exe	101

C:\Users\Admin\AppData\Local\Temp\cbaf1f229bce0d378b3f26e4dd9a21db58c244b4e16e838c769f2810438e5a89.exe
"C:\Users\Admin\AppData\Local\Temp\cbaf1f229bce0d378b3f26e4dd9a21db58c244b4e16e838c769f2810438e5a89.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:5088
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\PROGRA~1\COMMON~1\temps.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1288
- - C:\Windows\SysWOW64\mode.com
    mode con cols=60 lines=35
    3⤵
    PID:4660
- - C:\Windows\SysWOW64\PING.EXE
    ping /n 0 127.1
    3⤵
    - Runs ping.exe
    PID:1676
- - C:\Windows\SysWOW64\PING.EXE
    ping /n 0 127.1
    3⤵
    - Runs ping.exe
    PID:812
- - C:\Windows\SysWOW64\PING.EXE
    ping /n 0 127.1
    3⤵
    - Runs ping.exe
    PID:4236
- - C:\Windows\SysWOW64\PING.EXE
    ping /n 0 127.1
    3⤵
    - Runs ping.exe
    PID:1124
- - C:\Windows\SysWOW64\PING.EXE
    ping /n 0 127.1
    3⤵
    - Runs ping.exe
    PID:2328
- - C:\Windows\SysWOW64\PING.EXE
    ping /n 0 127.1
    3⤵
    - Runs ping.exe
    PID:4400
- - C:\Windows\SysWOW64\PING.EXE
    ping /n 0 127.1
    3⤵
    - Runs ping.exe
    PID:4304
- - C:\Windows\SysWOW64\PING.EXE
    ping /n 0 127.1
    3⤵
    - Runs ping.exe
    PID:1528
- - C:\Windows\SysWOW64\PING.EXE
    ping /n 0 127.1
    3⤵
    - Runs ping.exe
    PID:5012
- - C:\Windows\SysWOW64\PING.EXE
    ping /n 0 127.1
    3⤵
    - Runs ping.exe
    PID:1364
- - C:\Windows\SysWOW64\PING.EXE
    ping /n 0 127.1
    3⤵
    - Runs ping.exe
    PID:1344
- - C:\Windows\SysWOW64\PING.EXE
    ping /n 0 127.1
    3⤵
    - Runs ping.exe
    PID:4080
- - C:\Windows\SysWOW64\PING.EXE
    ping /n 0 127.1
    3⤵
    - Runs ping.exe
    PID:3060
- - C:\Windows\SysWOW64\PING.EXE
    ping /n 0 127.1
    3⤵
    - Runs ping.exe
    PID:4300
- - C:\Windows\SysWOW64\PING.EXE
    ping /n 0 127.1
    3⤵
    - Runs ping.exe
    PID:4292
- - C:\Windows\SysWOW64\PING.EXE
    ping /n 0 127.1
    3⤵
    - Runs ping.exe
    PID:1108
- - C:\Windows\SysWOW64\PING.EXE
    ping /n 0 127.1
    3⤵
    - Runs ping.exe
    PID:4620
- - C:\Windows\SysWOW64\PING.EXE
    ping /n 0 127.1
    3⤵
    - Runs ping.exe
    PID:3200
- - C:\Windows\SysWOW64\PING.EXE
    ping /n 0 127.1
    3⤵
    - Runs ping.exe
    PID:4552
- - C:\Windows\SysWOW64\PING.EXE
    ping /n 0 127.1
    3⤵
    - Runs ping.exe
    PID:240
- - C:\Windows\SysWOW64\PING.EXE
    ping /n 0 127.1
    3⤵
    - Runs ping.exe
    PID:216
- - C:\Windows\SysWOW64\PING.EXE
    ping /n 0 127.1
    3⤵
    - Runs ping.exe
    PID:4348
- - C:\Windows\SysWOW64\PING.EXE
    ping /n 0 127.1
    3⤵
    - Runs ping.exe
    PID:1336
- - C:\Windows\SysWOW64\PING.EXE
    ping /n 0 127.1
    3⤵
    - Runs ping.exe
    PID:2440
- - C:\Windows\SysWOW64\PING.EXE
    ping /n 0 127.1
    3⤵
    - Runs ping.exe
    PID:1480

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~1\COMMON~1\Temps.bat

Filesize
3KB

MD5
6e3d74ad6eaf660026bc8acf76c95673

SHA1
4d1d9bc80e65ef4c675f8ce7fe64eefba88ea1cf

SHA256
cd23638db56b94f587cbbda0b488d3a4da018bb16b3a318ff716f915906f1f0f

SHA512
7f990f638c349b3760b90756ef4bf48ea8fbc527ab34c2ecc3e85df7c2f0cf6c0beb01530e57b24c4c3df14ba1671c34f9230e25619777aed3584c4e1165a54c

Download Submit