6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2

Analysis

max time kernel
148s
max time network
159s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
14/10/2023, 03:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe
Size

11.4MB
MD5

a727493db8fc9d62a7d442b9f8d6b270
SHA1

8725622fb448707c1febaf30eb15ed71fbda38f5
SHA256

6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2
SHA512

cbf4c1b515c0de34e69046f5cade071c20dd86baa699a62d6c261647226290f84230e7fdb89d0e2288764817873e9df8d7b68eaed66b9ec05c0044906973564f
SSDEEP

196608:+Quf04H7ZH8VrsEyi80+gwLgS2GGuYJV+:wf0qIp0gI2eYO

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2552	PING.EXE
2868	PING.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1304	6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe
1680	6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe
1808	6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe

Suspicious behavior: RenamesItself 2 IoCs

pid	Process
2444	cmd.exe
2820	cmd.exe

Suspicious use of FindShellTrayWindow 9 IoCs

pid	Process
1304	6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe
1304	6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe
1304	6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe
1680	6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe
1680	6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe
1680	6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe
1808	6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe
1808	6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe
1808	6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe

Suspicious use of SendNotifyMessage 9 IoCs

pid	Process
1304	6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe
1304	6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe
1304	6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe
1680	6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe
1680	6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe
1680	6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe
1808	6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe
1808	6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe
1808	6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1304	6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe
1304	6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe
1680	6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe
1680	6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe
1808	6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe
1808	6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1304 wrote to memory of 2444	1304	6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe	30
PID 1304 wrote to memory of 2444	1304	6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe	30
PID 1304 wrote to memory of 2444	1304	6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe	30
PID 1304 wrote to memory of 2444	1304	6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe	30
PID 1304 wrote to memory of 2444	1304	6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe	30
PID 1304 wrote to memory of 2444	1304	6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe	30
PID 1304 wrote to memory of 2444	1304	6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe	30
PID 2444 wrote to memory of 2552	2444	cmd.exe	32
PID 2444 wrote to memory of 2552	2444	cmd.exe	32
PID 2444 wrote to memory of 2552	2444	cmd.exe	32
PID 2444 wrote to memory of 2552	2444	cmd.exe	32
PID 2444 wrote to memory of 1680	2444	cmd.exe	33
PID 2444 wrote to memory of 1680	2444	cmd.exe	33
PID 2444 wrote to memory of 1680	2444	cmd.exe	33
PID 2444 wrote to memory of 1680	2444	cmd.exe	33
PID 1680 wrote to memory of 2820	1680	6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe	34
PID 1680 wrote to memory of 2820	1680	6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe	34
PID 1680 wrote to memory of 2820	1680	6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe	34
PID 1680 wrote to memory of 2820	1680	6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe	34
PID 1680 wrote to memory of 2820	1680	6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe	34
PID 1680 wrote to memory of 2820	1680	6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe	34
PID 1680 wrote to memory of 2820	1680	6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe	34
PID 2820 wrote to memory of 2868	2820	cmd.exe	36
PID 2820 wrote to memory of 2868	2820	cmd.exe	36
PID 2820 wrote to memory of 2868	2820	cmd.exe	36
PID 2820 wrote to memory of 2868	2820	cmd.exe	36
PID 2820 wrote to memory of 1808	2820	cmd.exe	37
PID 2820 wrote to memory of 1808	2820	cmd.exe	37
PID 2820 wrote to memory of 1808	2820	cmd.exe	37
PID 2820 wrote to memory of 1808	2820	cmd.exe	37

C:\Users\Admin\AppData\Local\Temp\6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe
"C:\Users\Admin\AppData\Local\Temp\6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1304
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\update.bat
  2⤵
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:2444
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 1500
    3⤵
    - Runs ping.exe
    PID:2552
- - C:\Users\Admin\AppData\Local\Temp\6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe
    C:\Users\Admin\AppData\Local\Temp\6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1680
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\update.bat
      4⤵
      Suspicious behavior: RenamesItself
      Suspicious use of WriteProcessMemory
      PID:2820
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 1500
        5⤵
        Runs ping.exe
        
        PID:2868
    - - C:\Users\Admin\AppData\Local\Temp\6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe
        
        C:\Users\Admin\AppData\Local\Temp\6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:1808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\update.bat

Filesize
290B

MD5
46ab15e576752208d8383ab85f7a3728

SHA1
27124a0af2eb7efc3adf38a4db21bc9f406ff04c

SHA256
100048ec218b8438089c51d84ca4ef0642d2e539488a7746bb028a100d58d5e6

SHA512
5c07bba38f7aa35ea13630ea65164b9ffcc1bab0715cb91a5b94676689d4df69fbad59a729ec2a38cd494a88464d1840edf70d52452e00520f856dfaf8abe99f

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.bat

Filesize
290B

MD5
46ab15e576752208d8383ab85f7a3728

SHA1
27124a0af2eb7efc3adf38a4db21bc9f406ff04c

SHA256
100048ec218b8438089c51d84ca4ef0642d2e539488a7746bb028a100d58d5e6

SHA512
5c07bba38f7aa35ea13630ea65164b9ffcc1bab0715cb91a5b94676689d4df69fbad59a729ec2a38cd494a88464d1840edf70d52452e00520f856dfaf8abe99f

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.bat

Filesize
290B

MD5
46ab15e576752208d8383ab85f7a3728

SHA1
27124a0af2eb7efc3adf38a4db21bc9f406ff04c

SHA256
100048ec218b8438089c51d84ca4ef0642d2e539488a7746bb028a100d58d5e6

SHA512
5c07bba38f7aa35ea13630ea65164b9ffcc1bab0715cb91a5b94676689d4df69fbad59a729ec2a38cd494a88464d1840edf70d52452e00520f856dfaf8abe99f

Download Submit