Analysis
-
max time kernel
46s -
max time network
50s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
04-06-2022 13:09
Static task
static1
Behavioral task
behavioral1
Sample
reconstructed_core/2022-06-04/core/cmd.bat
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
reconstructed_core/2022-06-04/core/cmd.bat
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
reconstructed_core/2022-06-04/core/labor-.dll
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
reconstructed_core/2022-06-04/core/labor-.dll
Resource
win10v2004-20220414-en
Behavioral task
behavioral5
Sample
reconstructed_core/2022-06-04/core/license.dat
Resource
win7-20220414-en
Behavioral task
behavioral6
Sample
reconstructed_core/2022-06-04/core/license.dat
Resource
win10v2004-20220414-en
General
-
Target
reconstructed_core/2022-06-04/core/cmd.bat
-
Size
188B
-
MD5
d67f758395e66ed03d9065d8c23f2894
-
SHA1
1d635b99201ef4551132d29495e0c259404bd5eb
-
SHA256
afc903fcce880470df94d38d1f877c114c16ba78d2a25a0b9094c99e425f3586
-
SHA512
d48a6f81dc69bf0b9024e775c8620c504f1563e57978213635e3ebd546c450a3e8c621ba58d1dc1d1c2f71b4563ff8c7abd0915255874a59bfb4917c2cb2ff5f
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid process target process PID 1964 wrote to memory of 1944 1964 cmd.exe rundll32.exe PID 1964 wrote to memory of 1944 1964 cmd.exe rundll32.exe PID 1964 wrote to memory of 1944 1964 cmd.exe rundll32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\reconstructed_core\2022-06-04\core\cmd.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\core\labor-.tmp,DllMain --ma="license.dat"2⤵PID:1944
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1944-54-0x0000000000000000-mapping.dmp