4b8c42508fc4c4a453819aa3f48fd206984673efe293f4035b09bb739abcf56a | Triage

Analysis

max time kernel
151s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
12-07-2022 09:34

Sharing

Report Analysis Logs

General

Target

4b8c42508fc4c4a453819aa3f48fd206984673efe293f4035b09bb739abcf56a.exe
Size

6.7MB
MD5

9eafd2cf5a46061eb25eaf6ca43ce6c7
SHA1

167dacf066be94c6914282b86ed8dc4c6f87d139
SHA256

4b8c42508fc4c4a453819aa3f48fd206984673efe293f4035b09bb739abcf56a
SHA512

59caa8edef67d2148ea32bdebdbae2776c47259554dff33574768f7ea3dd781e3897d0ca99ebe05a29df2670e433ad2d5946ff1239d5cc1a71477d514622f6c1

Score

7^/10

Malware Config

Signatures

Drops startup file 2 IoCs

Processes:

cmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchostsw.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchostsw.exe	cmd.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

4b8c42508fc4c4a453819aa3f48fd206984673efe293f4035b09bb739abcf56a.exe

description	pid	process	target process
PID 2544 wrote to memory of 1308	2544	4b8c42508fc4c4a453819aa3f48fd206984673efe293f4035b09bb739abcf56a.exe	cmd.exe
PID 2544 wrote to memory of 1308	2544	4b8c42508fc4c4a453819aa3f48fd206984673efe293f4035b09bb739abcf56a.exe	cmd.exe
PID 2544 wrote to memory of 1308	2544	4b8c42508fc4c4a453819aa3f48fd206984673efe293f4035b09bb739abcf56a.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\4b8c42508fc4c4a453819aa3f48fd206984673efe293f4035b09bb739abcf56a.exe
"C:\Users\Admin\AppData\Local\Temp\4b8c42508fc4c4a453819aa3f48fd206984673efe293f4035b09bb739abcf56a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2544

C:\Windows\SysWOW64\cmd.exe
cmd /Q /C C:\Users\Admin\AppData\Local\Temp/s.bat
2⤵
- Drops startup file
PID:1308

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\s.bat
Filesize
323B

MD5
f32530f6af4d31acd2cb2e379174a222

SHA1
ce86658ed4fb5fbccd2a9f6ea7884e652618f527

SHA256
1f41f345fb9a69f9c70581130386a35fef9722cf541b08e29cada65124adfdab

SHA512
802c00fbcb0530e2db90d8b74a65508c8e567632660791bdd3cd5626666c6c8c7a897ba54714388b26c8be46c42239409a8fdad3101c2ebe019ffb23715fef59

Download Submit
memory/1308-130-0x0000000000000000-mapping.dmp

Download