1aec273004c1804ca7491860677c80fa6405ce0ec8843d1ffffbf5ff1f2f6c93

Analysis

Target

Gemini.bat
Size

13KB
MD5

4e2a7f369378a76d1df4d8c448f712af
SHA1

1192b4d01254a8704e6d6ae17dc2ec28a7ad5a49
SHA256

5e2cd213ff47b7657abd9167c38ffd8b53c13261fe22adddea92b5a2d9e320ad
SHA512

90e6eedca424e2ee37c78e0c0380db490c049b0378541812734c134510c40c6e4c48c4e213f395339ed99ff337ef087b6056ac5aafb246c1789ca6082dcabd2e

Score

1^/10

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

cmd.exe

description pid process target process

PID 3448 wrote to memory of 4072 3448 cmd.exe cscript.exe
PID 3448 wrote to memory of 4072 3448 cmd.exe cscript.exe

description	pid	process	target process
PID 3448 wrote to memory of 4072	3448	cmd.exe	cscript.exe
PID 3448 wrote to memory of 4072	3448	cmd.exe	cscript.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Gemini.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3448
- C:\Windows\system32\cscript.exe
  cscript x.js
  2⤵
  PID:4072
- C:\Users\Admin\AppData\Roaming\MEMZ.exe
  "C:\Users\Admin\AppData\Roaming\MEMZ.exe"
  2⤵
  PID:4636
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /main
    3⤵
    PID:4984
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    PID:2492
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    PID:4824
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    PID:4300
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    PID:2560
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    PID:1208

C:\Users\Admin\AppData\Local\Temp\x

Download Submit
C:\Users\Admin\AppData\Local\Temp\x.js

Filesize
448B

MD5
8eec8704d2a7bc80b95b7460c06f4854

SHA1
1b34585c1fa7ec0bd0505478ac9dbb8b8d19f326

SHA256
aa01b8864b43e92077a106ed3d4656a511f3ba1910fba40c78a32ee6a621d596

SHA512
e274b92810e9a30627a65f87448d784967a2fcfbf49858cbe6ccb841f09e0f53fde253ecc1ea0c7de491d8cc56a6cf8c79d1b7c657e72928cfb0479d11035210

Download Submit
C:\Users\Admin\AppData\Local\Temp\z.zip

Download Submit
C:\Users\Admin\AppData\Roaming\MEMZ.exe

Download Submit
C:\Users\Admin\AppData\Roaming\MEMZ.exe

Download Submit
C:\Users\Admin\AppData\Roaming\MEMZ.exe

Download Submit
C:\Users\Admin\AppData\Roaming\MEMZ.exe

Download Submit
C:\Users\Admin\AppData\Roaming\MEMZ.exe

Download Submit
C:\Users\Admin\AppData\Roaming\MEMZ.exe

Download Submit
C:\Users\Admin\AppData\Roaming\MEMZ.exe

Download Submit
C:\Users\Admin\AppData\Roaming\MEMZ.exe

Download Submit
memory/1208-137-0x0000000000000000-mapping.dmp

Download
memory/2492-145-0x0000000000000000-mapping.dmp

Download
memory/2560-139-0x0000000000000000-mapping.dmp

Download
memory/4072-130-0x0000000000000000-mapping.dmp

Download
memory/4300-141-0x0000000000000000-mapping.dmp

Download
memory/4636-134-0x0000000000000000-mapping.dmp

Download
memory/4824-143-0x0000000000000000-mapping.dmp

Download
memory/4984-147-0x0000000000000000-mapping.dmp

Download