Analysis
-
max time kernel
203s -
max time network
213s -
platform
windows7_x64 -
resource
win7-20220414-en -
resource tags
arch:x64arch:x86image:win7-20220414-enlocale:en-usos:windows7-x64system -
submitted
17-07-2022 01:10
Behavioral task
behavioral1
Sample
53052600ea8741fcea59bf190d96ddb815b0cd766d9a21c01734f2228df545d0.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
53052600ea8741fcea59bf190d96ddb815b0cd766d9a21c01734f2228df545d0.exe
Resource
win10v2004-20220414-en
General
-
Target
53052600ea8741fcea59bf190d96ddb815b0cd766d9a21c01734f2228df545d0.exe
-
Size
6.7MB
-
MD5
c5435ae3db683f7c02e45f3893749f5c
-
SHA1
8d1286ac63f8f8d6a0246a2439190fc1d956cc2d
-
SHA256
53052600ea8741fcea59bf190d96ddb815b0cd766d9a21c01734f2228df545d0
-
SHA512
feab5a2074db5452fd510adb7c6dddfef9beb64631a6340af4e6dee7bd2a080d69a57c012b5fb0918c354caff54ab6b4b9714330ad256607276c0eb08caa1955
Malware Config
Signatures
-
Drops startup file 2 IoCs
Processes:
cmd.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchostsw.exe cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchostsw.exe cmd.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
53052600ea8741fcea59bf190d96ddb815b0cd766d9a21c01734f2228df545d0.exedescription pid process target process PID 900 wrote to memory of 1996 900 53052600ea8741fcea59bf190d96ddb815b0cd766d9a21c01734f2228df545d0.exe cmd.exe PID 900 wrote to memory of 1996 900 53052600ea8741fcea59bf190d96ddb815b0cd766d9a21c01734f2228df545d0.exe cmd.exe PID 900 wrote to memory of 1996 900 53052600ea8741fcea59bf190d96ddb815b0cd766d9a21c01734f2228df545d0.exe cmd.exe PID 900 wrote to memory of 1996 900 53052600ea8741fcea59bf190d96ddb815b0cd766d9a21c01734f2228df545d0.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\53052600ea8741fcea59bf190d96ddb815b0cd766d9a21c01734f2228df545d0.exe"C:\Users\Admin\AppData\Local\Temp\53052600ea8741fcea59bf190d96ddb815b0cd766d9a21c01734f2228df545d0.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /Q /C C:\Users\Admin\AppData\Local\Temp/s.bat2⤵
- Drops startup file
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\s.batFilesize
323B
MD576fce7f50eaf95c182aca1c7bc105b65
SHA105e4bf3418bcf2cd7218080a39d194e6c23bc54f
SHA2569209ecf24f55d568d12f658940a1955736e421399f1a0165c698ed95089341d3
SHA512b20d7c7ffad30d8631702ab9cde1a01e59bc48a018cff5f26cf6f0124f71136390c2367b7071dae57cc45737ac2bff596d2c73d321c434b170f4ed855797a7e0
-
memory/900-54-0x00000000759F1000-0x00000000759F3000-memory.dmpFilesize
8KB
-
memory/1996-55-0x0000000000000000-mapping.dmp