370d3b2ac96306a83cc49f1c5929a0badbeb2459d966046d88bc38709fb0245f | Triage

Analysis

max time kernel
40s
max time network
49s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
26/12/2022, 19:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ngrok.exe
Size

18.5MB
MD5

9dc7237ac63d552270c5ca27960168c3
SHA1

c9eea274813603cb2686ac902383352384312319
SHA256

370d3b2ac96306a83cc49f1c5929a0badbeb2459d966046d88bc38709fb0245f
SHA512

aae4e4eaa22568499fe60e5058f2bbe0635e34d51c6b11cb5d699162468b062644ad3e4fe49e69b9a210fd8d0fa8a911f965b753a969f03a39bf85e1238c8103
SSDEEP

196608:87jy3FXs82XuWvzWQywOl34Rd9HSYIII2fzJ:AuJzWLtywdIILfF

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1976	ngrok.exe
1976	ngrok.exe
1340	ngrok.exe
1340	ngrok.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 1340	1976	ngrok.exe	28
PID 1976 wrote to memory of 1340	1976	ngrok.exe	28
PID 1976 wrote to memory of 1340	1976	ngrok.exe	28
PID 1976 wrote to memory of 1348	1976	ngrok.exe	29
PID 1976 wrote to memory of 1348	1976	ngrok.exe	29
PID 1976 wrote to memory of 1348	1976	ngrok.exe	29

C:\Users\Admin\AppData\Local\Temp\ngrok.exe
"C:\Users\Admin\AppData\Local\Temp\ngrok.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Users\Admin\AppData\Local\Temp\ngrok.exe
  C:\Users\Admin\AppData\Local\Temp\ngrok.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1340
- C:\Windows\system32\cmd.exe
  cmd.exe /K
  2⤵
  PID:1348

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads