d03c84a13b8e6274f7353fd98e35f73c194938b61690a9a8a83c594a40994dec

Resubmissions

10-10-2023 19:06

231010-xr48baaa72 7

10-10-2023 18:57

231010-xmdvkahh85 7

11-12-2020 07:11

201211-8rk4l8xrye 10

Analysis

max time kernel
126s
max time network
133s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
10-10-2023 18:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

107fe810309d392811fb898622aa607c.exe
Size

265KB
MD5

107fe810309d392811fb898622aa607c
SHA1

da82f9894db9b0a9b3cc9565a0c71e3e851cf98b
SHA256

d03c84a13b8e6274f7353fd98e35f73c194938b61690a9a8a83c594a40994dec
SHA512

1def7eff04fac2e9ce8f8f54655ade9640dfe81d0bf957762d173b13ef5d6681ef212418f8fd0e72d0d40fa0d2b0e1c1a3f05805ab0009bf2db3f175cd3d7d84
SSDEEP

1536:vU+AIFt7FeLuMI8Orz99qsOCGMfZovSCC:vU+Aet0aZ3RHovW

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

348 PING.EXE

pid	process
348	PING.EXE

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

107fe810309d392811fb898622aa607c.execmd.exe

description	pid	process	target process
PID 3596 wrote to memory of 4404	3596	107fe810309d392811fb898622aa607c.exe	cmd.exe
PID 3596 wrote to memory of 4404	3596	107fe810309d392811fb898622aa607c.exe	cmd.exe
PID 3596 wrote to memory of 4404	3596	107fe810309d392811fb898622aa607c.exe	cmd.exe
PID 4404 wrote to memory of 348	4404	cmd.exe	PING.EXE
PID 4404 wrote to memory of 348	4404	cmd.exe	PING.EXE
PID 4404 wrote to memory of 348	4404	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\107fe810309d392811fb898622aa607c.exe
"C:\Users\Admin\AppData\Local\Temp\107fe810309d392811fb898622aa607c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3596

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\107fe810309d392811fb898622aa607c.exe" >> NUL
2⤵
- Suspicious use of WriteProcessMemory
PID:4404

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3596-0-0x0000000000510000-0x000000000051D000-memory.dmp

Filesize
52KB

Download