6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2

Analysis

max time kernel
172s
max time network
182s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
14/10/2023, 03:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe
Size

11.4MB
MD5

a727493db8fc9d62a7d442b9f8d6b270
SHA1

8725622fb448707c1febaf30eb15ed71fbda38f5
SHA256

6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2
SHA512

cbf4c1b515c0de34e69046f5cade071c20dd86baa699a62d6c261647226290f84230e7fdb89d0e2288764817873e9df8d7b68eaed66b9ec05c0044906973564f
SSDEEP

196608:+Quf04H7ZH8VrsEyi80+gwLgS2GGuYJV+:wf0qIp0gI2eYO

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
208	PING.EXE
2980	PING.EXE
860	PING.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3928	6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe
3928	6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe
1200	6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe
1200	6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe
5044	6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe
5044	6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe
4428	6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe
4428	6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe

Suspicious behavior: RenamesItself 3 IoCs

pid	Process
3024	cmd.exe
4644	cmd.exe
4828	cmd.exe

Suspicious use of FindShellTrayWindow 12 IoCs

pid	Process
3928	6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe
3928	6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe
3928	6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe
1200	6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe
1200	6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe
1200	6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe
5044	6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe
5044	6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe
5044	6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe
4428	6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe
4428	6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe
4428	6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3928	6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe
3928	6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe
3928	6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe
1200	6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe
1200	6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe
1200	6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe
5044	6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe
5044	6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe
5044	6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe
4428	6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe
4428	6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe
4428	6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
3928	6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe
3928	6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe
1200	6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe
1200	6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe
5044	6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe
5044	6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe
4428	6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe
4428	6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 3928 wrote to memory of 3024	3928	6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe	99
PID 3928 wrote to memory of 3024	3928	6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe	99
PID 3928 wrote to memory of 3024	3928	6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe	99
PID 3024 wrote to memory of 208	3024	cmd.exe	101
PID 3024 wrote to memory of 208	3024	cmd.exe	101
PID 3024 wrote to memory of 208	3024	cmd.exe	101
PID 3024 wrote to memory of 1200	3024	cmd.exe	102
PID 3024 wrote to memory of 1200	3024	cmd.exe	102
PID 3024 wrote to memory of 1200	3024	cmd.exe	102
PID 1200 wrote to memory of 4644	1200	6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe	103
PID 1200 wrote to memory of 4644	1200	6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe	103
PID 1200 wrote to memory of 4644	1200	6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe	103
PID 4644 wrote to memory of 2980	4644	cmd.exe	105
PID 4644 wrote to memory of 2980	4644	cmd.exe	105
PID 4644 wrote to memory of 2980	4644	cmd.exe	105
PID 4644 wrote to memory of 5044	4644	cmd.exe	106
PID 4644 wrote to memory of 5044	4644	cmd.exe	106
PID 4644 wrote to memory of 5044	4644	cmd.exe	106
PID 5044 wrote to memory of 4828	5044	6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe	108
PID 5044 wrote to memory of 4828	5044	6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe	108
PID 5044 wrote to memory of 4828	5044	6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe	108
PID 4828 wrote to memory of 860	4828	cmd.exe	110
PID 4828 wrote to memory of 860	4828	cmd.exe	110
PID 4828 wrote to memory of 860	4828	cmd.exe	110
PID 4828 wrote to memory of 4428	4828	cmd.exe	111
PID 4828 wrote to memory of 4428	4828	cmd.exe	111
PID 4828 wrote to memory of 4428	4828	cmd.exe	111

C:\Users\Admin\AppData\Local\Temp\6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe
"C:\Users\Admin\AppData\Local\Temp\6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3928
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\update.bat
  2⤵
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:3024
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 1500
    3⤵
    - Runs ping.exe
    PID:208
- - C:\Users\Admin\AppData\Local\Temp\6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe
    C:\Users\Admin\AppData\Local\Temp\6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1200
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\update.bat
      4⤵
      Suspicious behavior: RenamesItself
      Suspicious use of WriteProcessMemory
      PID:4644
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 1500
        5⤵
        Runs ping.exe
        
        PID:2980
    - - C:\Users\Admin\AppData\Local\Temp\6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe
        
        C:\Users\Admin\AppData\Local\Temp\6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:5044
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\update.bat
        6⤵
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:4828
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 1500
        7⤵
        Runs ping.exe
        
        PID:860
        
        C:\Users\Admin\AppData\Local\Temp\6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe
        
        C:\Users\Admin\AppData\Local\Temp\6317c55cac55fad2fee9a5e8ef9d6978ec680032d0f663c4e66b4bc67ee126b2.exe
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:4428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\update.bat

Filesize
290B

MD5
46ab15e576752208d8383ab85f7a3728

SHA1
27124a0af2eb7efc3adf38a4db21bc9f406ff04c

SHA256
100048ec218b8438089c51d84ca4ef0642d2e539488a7746bb028a100d58d5e6

SHA512
5c07bba38f7aa35ea13630ea65164b9ffcc1bab0715cb91a5b94676689d4df69fbad59a729ec2a38cd494a88464d1840edf70d52452e00520f856dfaf8abe99f

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.bat

Filesize
290B

MD5
46ab15e576752208d8383ab85f7a3728

SHA1
27124a0af2eb7efc3adf38a4db21bc9f406ff04c

SHA256
100048ec218b8438089c51d84ca4ef0642d2e539488a7746bb028a100d58d5e6

SHA512
5c07bba38f7aa35ea13630ea65164b9ffcc1bab0715cb91a5b94676689d4df69fbad59a729ec2a38cd494a88464d1840edf70d52452e00520f856dfaf8abe99f

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.bat

Filesize
290B

MD5
46ab15e576752208d8383ab85f7a3728

SHA1
27124a0af2eb7efc3adf38a4db21bc9f406ff04c

SHA256
100048ec218b8438089c51d84ca4ef0642d2e539488a7746bb028a100d58d5e6

SHA512
5c07bba38f7aa35ea13630ea65164b9ffcc1bab0715cb91a5b94676689d4df69fbad59a729ec2a38cd494a88464d1840edf70d52452e00520f856dfaf8abe99f

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.bat

Filesize
290B

MD5
46ab15e576752208d8383ab85f7a3728

SHA1
27124a0af2eb7efc3adf38a4db21bc9f406ff04c

SHA256
100048ec218b8438089c51d84ca4ef0642d2e539488a7746bb028a100d58d5e6

SHA512
5c07bba38f7aa35ea13630ea65164b9ffcc1bab0715cb91a5b94676689d4df69fbad59a729ec2a38cd494a88464d1840edf70d52452e00520f856dfaf8abe99f

Download Submit