e6e3a37f053bd43bb78e7c8d9c5ad26c71aab6e91f7df1005ee8ffaddaade14a | Triage

Analysis

max time kernel
134s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
25-06-2022 07:45

Sharing

Report Analysis Logs

General

Target

e6e3a37f053bd43bb78e7c8d9c5ad26c71aab6e91f7df1005ee8ffaddaade14a.exe
Size

4.1MB
MD5

e1c69be0f36873212cd0a5f29bd2edfa
SHA1

48f7501444cb07628ef73200d0677a4fecb962d4
SHA256

e6e3a37f053bd43bb78e7c8d9c5ad26c71aab6e91f7df1005ee8ffaddaade14a
SHA512

9847d3b594cbe00ad70037a35cbc8fd6ef8e4c9bc2aedf925ba22737f723a8f4ec4244ed4f583cd0eb783d9c42c89dee062206fca080ffbb359dff98818d5e7d

Score

7^/10

Malware Config

Signatures

Drops startup file 2 IoCs

Processes:

cmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchostsw.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchostsw.exe	cmd.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

e6e3a37f053bd43bb78e7c8d9c5ad26c71aab6e91f7df1005ee8ffaddaade14a.exe

description	pid	process	target process
PID 4820 wrote to memory of 304	4820	e6e3a37f053bd43bb78e7c8d9c5ad26c71aab6e91f7df1005ee8ffaddaade14a.exe	cmd.exe
PID 4820 wrote to memory of 304	4820	e6e3a37f053bd43bb78e7c8d9c5ad26c71aab6e91f7df1005ee8ffaddaade14a.exe	cmd.exe
PID 4820 wrote to memory of 304	4820	e6e3a37f053bd43bb78e7c8d9c5ad26c71aab6e91f7df1005ee8ffaddaade14a.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\e6e3a37f053bd43bb78e7c8d9c5ad26c71aab6e91f7df1005ee8ffaddaade14a.exe
"C:\Users\Admin\AppData\Local\Temp\e6e3a37f053bd43bb78e7c8d9c5ad26c71aab6e91f7df1005ee8ffaddaade14a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4820

C:\Windows\SysWOW64\cmd.exe
cmd /Q /C C:\Users\Admin\AppData\Local\Temp/s.bat
2⤵
- Drops startup file
PID:304

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\s.bat
Filesize
323B

MD5
02349df74ba109e24fb5d5683a2370d3

SHA1
a8a220cb53bcf8b6178d048cd631ad6b95ee3f5e

SHA256
136c5121b1f929e124e365ace484c3b50f0dae4f970592951eb7df8b756ae3f2

SHA512
671ac1c2a82058125d2131eaa391175539e081b5d738582b6989f599607235daeec6e37ea89563acc6848a7515486de2bedcb814bec12c4a9fae27840f406cbe

Download Submit
memory/304-130-0x0000000000000000-mapping.dmp

Download