5a0ae314a3ccfcd8e2a77585fb96f650574aac0d5dcb48a85f2f4e0be698845f | Triage

Analysis

max time kernel
30s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
24/03/2023, 13:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ngrok.exe
Size

18.4MB
MD5

f886615860dbbcd3fe966cf1c79203f9
SHA1

cdcce183c817b5a291dd2a3d6ef6dca93ce3f01d
SHA256

5a0ae314a3ccfcd8e2a77585fb96f650574aac0d5dcb48a85f2f4e0be698845f
SHA512

4f133875662db65313897586d4ab748be5ed386f31ba3ee6d54e7cc4e4da44cf54392bb16f6f1832ba74f4be55ec3aeae5d3632b73bab2a49dbe37ff7d8edcca
SSDEEP

196608:trwkQhsWhgXuPx0WQywOlNF4Rd9HScIxuJKW:OHOoPmtywnIx8K

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1532	ngrok.exe
1532	ngrok.exe
1284	ngrok.exe
1284	ngrok.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1532 wrote to memory of 1284	1532	ngrok.exe	29
PID 1532 wrote to memory of 1284	1532	ngrok.exe	29
PID 1532 wrote to memory of 1284	1532	ngrok.exe	29
PID 1532 wrote to memory of 1080	1532	ngrok.exe	30
PID 1532 wrote to memory of 1080	1532	ngrok.exe	30
PID 1532 wrote to memory of 1080	1532	ngrok.exe	30

C:\Users\Admin\AppData\Local\Temp\ngrok.exe
"C:\Users\Admin\AppData\Local\Temp\ngrok.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1532
- C:\Users\Admin\AppData\Local\Temp\ngrok.exe
  C:\Users\Admin\AppData\Local\Temp\ngrok.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1284
- C:\Windows\system32\cmd.exe
  cmd.exe /K
  2⤵
  PID:1080

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads