370d3b2ac96306a83cc49f1c5929a0badbeb2459d966046d88bc38709fb0245f | Triage

Analysis

max time kernel
138s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2022, 19:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ngrok.exe
Size

18.5MB
MD5

9dc7237ac63d552270c5ca27960168c3
SHA1

c9eea274813603cb2686ac902383352384312319
SHA256

370d3b2ac96306a83cc49f1c5929a0badbeb2459d966046d88bc38709fb0245f
SHA512

aae4e4eaa22568499fe60e5058f2bbe0635e34d51c6b11cb5d699162468b062644ad3e4fe49e69b9a210fd8d0fa8a911f965b753a969f03a39bf85e1238c8103
SSDEEP

196608:87jy3FXs82XuWvzWQywOl34Rd9HSYIII2fzJ:AuJzWLtywdIILfF

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4876	ngrok.exe
4876	ngrok.exe
4876	ngrok.exe
4876	ngrok.exe
4112	ngrok.exe
4112	ngrok.exe
4112	ngrok.exe
4112	ngrok.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4876 wrote to memory of 4112	4876	ngrok.exe	82
PID 4876 wrote to memory of 4112	4876	ngrok.exe	82
PID 4876 wrote to memory of 1632	4876	ngrok.exe	83
PID 4876 wrote to memory of 1632	4876	ngrok.exe	83

C:\Users\Admin\AppData\Local\Temp\ngrok.exe
"C:\Users\Admin\AppData\Local\Temp\ngrok.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4876
- C:\Users\Admin\AppData\Local\Temp\ngrok.exe
  C:\Users\Admin\AppData\Local\Temp\ngrok.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4112
- C:\Windows\system32\cmd.exe
  cmd.exe /K
  2⤵
  PID:1632

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads