29a0c406ebb7c753ef3ef13fd29bdd993d0d3217215b20d4f743c01b7e383ca6 | Triage

Analysis

max time kernel
143s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
15-06-2022 13:47

Sharing

Report Analysis Logs

General

Target

29a0c406ebb7c753ef3ef13fd29bdd993d0d3217215b20d4f743c01b7e383ca6.exe
Size

6.7MB
MD5

9984a42cd368b12454aa4d38000e494a
SHA1

3b0a2a47fad37321ae4adc14bbd241c1f35694b9
SHA256

29a0c406ebb7c753ef3ef13fd29bdd993d0d3217215b20d4f743c01b7e383ca6
SHA512

cb3fd18b3173179d56a37b8d6674a871fca16a703fc1ecba541c564055021d49ab6e8f1568f082a8960ad6fa299065105ff19d532ace9b6543543b669e04088f

Score

7^/10

Malware Config

Signatures

Drops startup file 2 IoCs

Processes:

cmd.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchostsw.exe	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchostsw.exe	cmd.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

29a0c406ebb7c753ef3ef13fd29bdd993d0d3217215b20d4f743c01b7e383ca6.exe

description	pid	process	target process
PID 1336 wrote to memory of 3764	1336	29a0c406ebb7c753ef3ef13fd29bdd993d0d3217215b20d4f743c01b7e383ca6.exe	cmd.exe
PID 1336 wrote to memory of 3764	1336	29a0c406ebb7c753ef3ef13fd29bdd993d0d3217215b20d4f743c01b7e383ca6.exe	cmd.exe
PID 1336 wrote to memory of 3764	1336	29a0c406ebb7c753ef3ef13fd29bdd993d0d3217215b20d4f743c01b7e383ca6.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\29a0c406ebb7c753ef3ef13fd29bdd993d0d3217215b20d4f743c01b7e383ca6.exe
"C:\Users\Admin\AppData\Local\Temp\29a0c406ebb7c753ef3ef13fd29bdd993d0d3217215b20d4f743c01b7e383ca6.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1336

C:\Windows\SysWOW64\cmd.exe
cmd /Q /C C:\Users\Admin\AppData\Local\Temp/s.bat
2⤵
- Drops startup file
PID:3764

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\s.bat
Filesize
323B

MD5
c0b9cd52138727872054135fd43c8ee7

SHA1
2e4542db0e42e089a6993f1f2882eff944aece2a

SHA256
f70160f7e8cd6c1a40c704c264e82566b596904c0ddc95ab78ce44f7e2e2e234

SHA512
ae541fe084045935aeacc9957aa12b5d0d369ee1f4203bbdd401446863da26e1f8385e3075da397ead7f94199c9287ad1a69f0d52fb08e40ae3c471269909469

Download Submit
memory/3764-130-0x0000000000000000-mapping.dmp

Download