Analysis
-
max time kernel
10s -
max time network
13s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
10-05-2024 20:03
Static task
static1
Behavioral task
behavioral1
Sample
ngrok.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
3 signatures
30 seconds
General
-
Target
ngrok.exe
-
Size
28.2MB
-
MD5
fe94c576b99dcc99b1c82fce00af97ab
-
SHA1
aea717754ba2ba8fb3981bb87837b150ab659023
-
SHA256
3e20143e3e6346e09009109c997e91ce135eafc20496a02b2d5bad4a0b2a823c
-
SHA512
9bfbc9063924c61a5fe5338ea7c332d764575d62e80ac20356a9d10901b40266dd536d19274302ddf1cdc8b92fdb9c0bda4d807ef012d55db7f5e28453b16b34
-
SSDEEP
98304:FNE2/fNpo5pemooOoC3iQ5Ao2oPOt6rv8TT5bNGcP/NT41ue+ROhNZkJKfyq1t4C:DE2/CemooOoyz5XPOv5svw1B6
Score
1/10
Malware Config
Signatures
-
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
Processes:
description flow ioc HTTP User-Agent header 24 Go-http-client/1.1 -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
ngrok.exengrok.exepid process 3244 ngrok.exe 3244 ngrok.exe 3244 ngrok.exe 3244 ngrok.exe 3080 ngrok.exe 3080 ngrok.exe 3080 ngrok.exe 3080 ngrok.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
ngrok.execmd.exedescription pid process target process PID 3244 wrote to memory of 3080 3244 ngrok.exe ngrok.exe PID 3244 wrote to memory of 3080 3244 ngrok.exe ngrok.exe PID 3244 wrote to memory of 1360 3244 ngrok.exe cmd.exe PID 3244 wrote to memory of 1360 3244 ngrok.exe cmd.exe PID 1360 wrote to memory of 3200 1360 cmd.exe ngrok.exe PID 1360 wrote to memory of 3200 1360 cmd.exe ngrok.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ngrok.exe"C:\Users\Admin\AppData\Local\Temp\ngrok.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ngrok.exeC:\Users\Admin\AppData\Local\Temp\ngrok.exe2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.execmd.exe /K2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ngrok.exengrok tcp 255653⤵