8cbd5f9b1be18429ebd9e3fd0fe7152682848ed00d359eea9fbdb77840b076af | Triage

Analysis

max time kernel
92s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22/01/2025, 15:06

Sharing

Report Analysis Logs

General

Target

ngrok.exe
Size

45.9MB
MD5

108a2b2ace16b215f7bd1207be6b1498
SHA1

c98b8a1184c1195bced0b9f769943786052b303e
SHA256

8cbd5f9b1be18429ebd9e3fd0fe7152682848ed00d359eea9fbdb77840b076af
SHA512

c50443d25be2bd80f59545cb25577dcb3240d621bce511a063939baa084c1cef79f40a02414db90f4cc0efa7b751b808131c2b7014966b70a430f086d239985f
SSDEEP

393216:rYXEXR3uzMK0GWSFqlV3lYWmnHGm8mtGDfdJlU8Jq8tA9KxFxCfV:rYXEXhuzMmF26WmnHGrO1

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4740	ngrok.exe
4740	ngrok.exe
4740	ngrok.exe
4740	ngrok.exe
2432	ngrok.exe
2432	ngrok.exe
2432	ngrok.exe
2432	ngrok.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4740 wrote to memory of 2432	4740	ngrok.exe	83
PID 4740 wrote to memory of 2432	4740	ngrok.exe	83
PID 4740 wrote to memory of 884	4740	ngrok.exe	84
PID 4740 wrote to memory of 884	4740	ngrok.exe	84

C:\Users\Admin\AppData\Local\Temp\ngrok.exe
"C:\Users\Admin\AppData\Local\Temp\ngrok.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4740
- C:\Users\Admin\AppData\Local\Temp\ngrok.exe
  C:\Users\Admin\AppData\Local\Temp\ngrok.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2432
- C:\Windows\system32\cmd.exe
  cmd.exe /K
  2⤵
  PID:884

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads