ce76e73a7a1f8d7d38b87242a2ecb0317bb6671ed03792601548666e83cdaf06

Analysis

max time kernel
150s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
21/09/2023, 10:27

Target

ce76e73a7a1f8d7d38b87242a2ecb0317bb6671ed03792601548666e83cdaf06.exe
Size

2.9MB
MD5

1b4d55199d9d2ef7a833925e4c152522
SHA1

8bf8ded3b3c57d3e8b70d801081c3d455f66ff0e
SHA256

ce76e73a7a1f8d7d38b87242a2ecb0317bb6671ed03792601548666e83cdaf06
SHA512

180c249931f379223f0aa898da2ff0555e372a3d4118bcd9cbe9a08ce0398af6938984774a790e744933cbd70fa25385bb222f846ddbc2340afb3148d665508e
SSDEEP

24576:X0uL1fD3syAooEbWb5Hg1fLJ2aUgKmxzCczaBD/w:X0u+zPHg1fjzzGe

Score

7^/10

Deletes itself 1 IoCs

pid	Process
4992	ce76e73a7a1f8d7d38b87242a2ecb0317bb6671ed03792601548666e83cdaf06.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

pid	Process
4596	PING.EXE
2064	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4992	ce76e73a7a1f8d7d38b87242a2ecb0317bb6671ed03792601548666e83cdaf06.exe
4992	ce76e73a7a1f8d7d38b87242a2ecb0317bb6671ed03792601548666e83cdaf06.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4992	ce76e73a7a1f8d7d38b87242a2ecb0317bb6671ed03792601548666e83cdaf06.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4992 wrote to memory of 1792	4992	ce76e73a7a1f8d7d38b87242a2ecb0317bb6671ed03792601548666e83cdaf06.exe	81
PID 4992 wrote to memory of 1792	4992	ce76e73a7a1f8d7d38b87242a2ecb0317bb6671ed03792601548666e83cdaf06.exe	81
PID 1792 wrote to memory of 4588	1792	cmd.exe	82
PID 1792 wrote to memory of 4588	1792	cmd.exe	82
PID 4992 wrote to memory of 3520	4992	ce76e73a7a1f8d7d38b87242a2ecb0317bb6671ed03792601548666e83cdaf06.exe	83
PID 4992 wrote to memory of 3520	4992	ce76e73a7a1f8d7d38b87242a2ecb0317bb6671ed03792601548666e83cdaf06.exe	83
PID 3520 wrote to memory of 4596	3520	cmd.exe	84
PID 3520 wrote to memory of 4596	3520	cmd.exe	84
PID 4992 wrote to memory of 4144	4992	ce76e73a7a1f8d7d38b87242a2ecb0317bb6671ed03792601548666e83cdaf06.exe	85
PID 4992 wrote to memory of 4144	4992	ce76e73a7a1f8d7d38b87242a2ecb0317bb6671ed03792601548666e83cdaf06.exe	85
PID 4144 wrote to memory of 2064	4144	cmd.exe	86
PID 4144 wrote to memory of 2064	4144	cmd.exe	86

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/4992-0-0x00007FF794090000-0x00007FF794385000-memory.dmp

Filesize
3.0MB

Download