Analysis
-
max time kernel
50s -
max time network
510s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
14-05-2024 20:06
Static task
static1
Behavioral task
behavioral1
Sample
ngrok.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
2 signatures
1800 seconds
General
-
Target
ngrok.exe
-
Size
28.2MB
-
MD5
fe94c576b99dcc99b1c82fce00af97ab
-
SHA1
aea717754ba2ba8fb3981bb87837b150ab659023
-
SHA256
3e20143e3e6346e09009109c997e91ce135eafc20496a02b2d5bad4a0b2a823c
-
SHA512
9bfbc9063924c61a5fe5338ea7c332d764575d62e80ac20356a9d10901b40266dd536d19274302ddf1cdc8b92fdb9c0bda4d807ef012d55db7f5e28453b16b34
-
SSDEEP
98304:FNE2/fNpo5pemooOoC3iQ5Ao2oPOt6rv8TT5bNGcP/NT41ue+ROhNZkJKfyq1t4C:DE2/CemooOoyz5XPOv5svw1B6
Score
1/10
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
ngrok.exengrok.exepid process 2508 ngrok.exe 2508 ngrok.exe 2508 ngrok.exe 2508 ngrok.exe 3620 ngrok.exe 3620 ngrok.exe 3620 ngrok.exe 3620 ngrok.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
ngrok.execmd.exedescription pid process target process PID 2508 wrote to memory of 3620 2508 ngrok.exe ngrok.exe PID 2508 wrote to memory of 3620 2508 ngrok.exe ngrok.exe PID 2508 wrote to memory of 4452 2508 ngrok.exe cmd.exe PID 2508 wrote to memory of 4452 2508 ngrok.exe cmd.exe PID 4452 wrote to memory of 2684 4452 cmd.exe ngrok.exe PID 4452 wrote to memory of 2684 4452 cmd.exe ngrok.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ngrok.exe"C:\Users\Admin\AppData\Local\Temp\ngrok.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ngrok.exeC:\Users\Admin\AppData\Local\Temp\ngrok.exe2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.execmd.exe /K2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ngrok.exengrok tcp 20003⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3960,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=3804 /prefetch:81⤵