f37794539730a4be0c166371ca75aabb1594aa6a28a97da55f87eb553cf9ce40 | Triage

Analysis

max time kernel
91s
max time network
94s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
01/06/2024, 22:18

Sharing

Report Analysis Logs

General

Target

ngrok.exe
Size

28.2MB
MD5

e83c0724855253650f403d9a3b8af84b
SHA1

43b8c38f4ba54a00d59cfbdab0d2270f51255915
SHA256

706c36f927cdc78f55c5d165ef98014811e61126bca7e22c858d36ca3306f9d7
SHA512

ec14cba0b2ef41654323f8c009a5f72792773785d2cfe2adfde9c392bd6158eef25eed61ef5be463be27c4b4f2ba3d13b1bbc637e7b0c53a8682b4520c290e1f
SSDEEP

393216:SYOCQQFV9BVqWSIVe1oFb5mMjR1w/HXZrTZ2VYiZ+7oAY:FOCQQFhVqWSIC1Y

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4936	ngrok.exe
4936	ngrok.exe
4936	ngrok.exe
4936	ngrok.exe
3792	ngrok.exe
3792	ngrok.exe
3792	ngrok.exe
3792	ngrok.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4936 wrote to memory of 3792	4936	ngrok.exe	79
PID 4936 wrote to memory of 3792	4936	ngrok.exe	79
PID 4936 wrote to memory of 2388	4936	ngrok.exe	80
PID 4936 wrote to memory of 2388	4936	ngrok.exe	80

C:\Users\Admin\AppData\Local\Temp\ngrok.exe
"C:\Users\Admin\AppData\Local\Temp\ngrok.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4936
- C:\Users\Admin\AppData\Local\Temp\ngrok.exe
  C:\Users\Admin\AppData\Local\Temp\ngrok.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3792
- C:\Windows\system32\cmd.exe
  cmd.exe /K
  2⤵
  PID:2388

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads