Analysis
-
max time kernel
146s -
max time network
157s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
25-06-2022 07:45
Static task
static1
Behavioral task
behavioral1
Sample
e6e3a37f053bd43bb78e7c8d9c5ad26c71aab6e91f7df1005ee8ffaddaade14a.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
e6e3a37f053bd43bb78e7c8d9c5ad26c71aab6e91f7df1005ee8ffaddaade14a.exe
Resource
win10v2004-20220414-en
General
-
Target
e6e3a37f053bd43bb78e7c8d9c5ad26c71aab6e91f7df1005ee8ffaddaade14a.exe
-
Size
4.1MB
-
MD5
e1c69be0f36873212cd0a5f29bd2edfa
-
SHA1
48f7501444cb07628ef73200d0677a4fecb962d4
-
SHA256
e6e3a37f053bd43bb78e7c8d9c5ad26c71aab6e91f7df1005ee8ffaddaade14a
-
SHA512
9847d3b594cbe00ad70037a35cbc8fd6ef8e4c9bc2aedf925ba22737f723a8f4ec4244ed4f583cd0eb783d9c42c89dee062206fca080ffbb359dff98818d5e7d
Malware Config
Signatures
-
Drops startup file 2 IoCs
Processes:
cmd.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchostsw.exe cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchostsw.exe cmd.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
e6e3a37f053bd43bb78e7c8d9c5ad26c71aab6e91f7df1005ee8ffaddaade14a.exedescription pid process target process PID 748 wrote to memory of 1372 748 e6e3a37f053bd43bb78e7c8d9c5ad26c71aab6e91f7df1005ee8ffaddaade14a.exe cmd.exe PID 748 wrote to memory of 1372 748 e6e3a37f053bd43bb78e7c8d9c5ad26c71aab6e91f7df1005ee8ffaddaade14a.exe cmd.exe PID 748 wrote to memory of 1372 748 e6e3a37f053bd43bb78e7c8d9c5ad26c71aab6e91f7df1005ee8ffaddaade14a.exe cmd.exe PID 748 wrote to memory of 1372 748 e6e3a37f053bd43bb78e7c8d9c5ad26c71aab6e91f7df1005ee8ffaddaade14a.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e6e3a37f053bd43bb78e7c8d9c5ad26c71aab6e91f7df1005ee8ffaddaade14a.exe"C:\Users\Admin\AppData\Local\Temp\e6e3a37f053bd43bb78e7c8d9c5ad26c71aab6e91f7df1005ee8ffaddaade14a.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /Q /C C:\Users\Admin\AppData\Local\Temp/s.bat2⤵
- Drops startup file
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\s.batFilesize
323B
MD502349df74ba109e24fb5d5683a2370d3
SHA1a8a220cb53bcf8b6178d048cd631ad6b95ee3f5e
SHA256136c5121b1f929e124e365ace484c3b50f0dae4f970592951eb7df8b756ae3f2
SHA512671ac1c2a82058125d2131eaa391175539e081b5d738582b6989f599607235daeec6e37ea89563acc6848a7515486de2bedcb814bec12c4a9fae27840f406cbe
-
memory/748-54-0x00000000763E1000-0x00000000763E3000-memory.dmpFilesize
8KB
-
memory/1372-55-0x0000000000000000-mapping.dmp