56d610a957297e3b100f558cc22d3aa250553d37a3c57a278245960181694347

Analysis

max time kernel
91s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
27/03/2024, 00:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e04f2ca4aef9e29c51e9388c71188d40.exe
Size

280KB
MD5

e04f2ca4aef9e29c51e9388c71188d40
SHA1

6f057a3027c20e23e8ac5e74d09685366572fddd
SHA256

56d610a957297e3b100f558cc22d3aa250553d37a3c57a278245960181694347
SHA512

89b3adf28529b78405ea5a68df1cde0e3cc683343cef3bb8d142cefa86feda1a38f04a064a3dc2ffb28c7d1aa9d1b4cefcc5811e4a6d621aca2a072acac7e684
SSDEEP

3072:CO+fEMt+5oqmcrQ3XMzkJJXIiMjJJeHGqONtjlTsuZfE:CO+fEO6mxd7yyHGJZwuZM

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4868	zdocqc.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
972	PING.EXE

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4152 wrote to memory of 3684	4152	e04f2ca4aef9e29c51e9388c71188d40.exe	85
PID 4152 wrote to memory of 3684	4152	e04f2ca4aef9e29c51e9388c71188d40.exe	85
PID 4152 wrote to memory of 3684	4152	e04f2ca4aef9e29c51e9388c71188d40.exe	85
PID 3684 wrote to memory of 4868	3684	cmd.exe	87
PID 3684 wrote to memory of 4868	3684	cmd.exe	87
PID 3684 wrote to memory of 4868	3684	cmd.exe	87
PID 3684 wrote to memory of 972	3684	cmd.exe	88
PID 3684 wrote to memory of 972	3684	cmd.exe	88
PID 3684 wrote to memory of 972	3684	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\e04f2ca4aef9e29c51e9388c71188d40.exe
"C:\Users\Admin\AppData\Local\Temp\e04f2ca4aef9e29c51e9388c71188d40.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4152
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wixytva.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3684
- - C:\Users\Admin\AppData\Local\Temp\zdocqc.exe
    "C:\Users\Admin\AppData\Local\Temp\zdocqc.exe"
    3⤵
    - Executes dropped EXE
    PID:4868
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\eksikc.bat

Filesize
156B

MD5
158437cd4e8866699349fd76a58bb69d

SHA1
c2ef12dbfd5da58da740762855efae912c9a4e13

SHA256
303177d2be14e436ca2831c23eff3165813c989672afffdb2995455e3f2fc9e0

SHA512
95f24c372fab0227d46bf4f3a205a823529d51360f7bfb6349a75408241e8259964fc9f9f31ef6f495cc9027a2a27eebb20b3aac99fc5c810ca93d479eabcec5

Download Submit
C:\Users\Admin\AppData\Local\Temp\wixytva.bat

Filesize
124B

MD5
476a11480f411519afbceca8f49d4c33

SHA1
d68726ec209e6082107dcf7efb3d9b770a97a431

SHA256
3698eacc916a53fbf8832f1954936d94a592303f8a322e40498e38859ce29f44

SHA512
caef2af9529cf7fb44dd07d371816922b36eb8599383712e5c0e6c4235b3043ee05e0f0ea3a9409c7dfa3e10b48ff9b7d23196f7dafcad24dc7e05a6e73b69b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\zdocqc.exe

Filesize
180KB

MD5
fda503951d3c79f44c2658b5b7b937bc

SHA1
56820aabd3d724d361dba364b22ea1b6214c2327

SHA256
439246a8172b02d9b223605e00fd6a1b8e3df5a5e8adb13a4818e52704c3da6b

SHA512
b86cc4c6af7332d02669266c9feb14cc6205d9b6e42bba2f5b24a85ae9c870ff6a141c3850cc0789d1d7f8bc164434e3d09ba91ae64a02ad535b042820733048

Download Submit