a28e3c550eb65762971c2e6f675540d4f9f830304b7bf0dba2ca39d7cace8ef4

Resubmissions

14/10/2022, 07:00

221014-hs1tyscfc6 1

12/10/2022, 08:00

221012-jv5flachh4 8

Analysis

max time kernel
44s
max time network
51s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
12/10/2022, 08:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3550/3367.cmd
Size

245B
MD5

c0a2c18b8e80e4a7af74bf718bbb993b
SHA1

7c87ef36f1763b5d5234ca45445b73bb3f49b8b2
SHA256

6e67d68badb493c0be327073ff68740c6cca48de5094d925593dd1248f1046c1
SHA512

bd84b3ba94e30169d9b12e3f1363cdc9731a728ade2717a6ebdd9de23494c0441043304fd82ad3ddc8bbb627c882df17ebeb4985c3667b38c93de9773a16b1b2

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
588	in.exe
1208	Process not Found

Loads dropped DLL 1 IoCs

pid	Process
1324	cmd.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1168	PING.EXE

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1324 wrote to memory of 1168	1324	cmd.exe	28
PID 1324 wrote to memory of 1168	1324	cmd.exe	28
PID 1324 wrote to memory of 1168	1324	cmd.exe	28
PID 1324 wrote to memory of 588	1324	cmd.exe	29
PID 1324 wrote to memory of 588	1324	cmd.exe	29
PID 1324 wrote to memory of 588	1324	cmd.exe	29

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\3550\3367.cmd"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1324
- C:\Windows\system32\PING.EXE
  ping google.com
  2⤵
  - Runs ping.exe
  PID:1168
- C:\Users\Admin\AppData\Local\Temp\in.exe
  C:\Users\Admin\AppData\Local\Temp\\in.exe 3550\pots.dat
  2⤵
  - Executes dropped EXE
  PID:588

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\in.exe

Filesize
19KB

MD5
59bce9f07985f8a4204f4d6554cff708

SHA1
645c424974fbe5fe7a04cac73f1c23c96e1570b8

SHA256
ca24aef558647274d019dfb4d7fd1506d84ec278795c30ba53b81bb36130dc57

SHA512
3cf5825a9c7fb80ea0bd36775a92d07f34cd3709ed2c7c8f500f1c8baa5242768f6d575bd2477b77e3f177e7a4994d5c5bddb24c6eb43b60a6bd83ea026a8198

Download Submit
\Users\Admin\AppData\Local\Temp\in.exe

Filesize
19KB

MD5
59bce9f07985f8a4204f4d6554cff708

SHA1
645c424974fbe5fe7a04cac73f1c23c96e1570b8

SHA256
ca24aef558647274d019dfb4d7fd1506d84ec278795c30ba53b81bb36130dc57

SHA512
3cf5825a9c7fb80ea0bd36775a92d07f34cd3709ed2c7c8f500f1c8baa5242768f6d575bd2477b77e3f177e7a4994d5c5bddb24c6eb43b60a6bd83ea026a8198

Download Submit
\Users\Admin\AppData\Local\Temp\in.exe

Filesize
19KB

MD5
59bce9f07985f8a4204f4d6554cff708

SHA1
645c424974fbe5fe7a04cac73f1c23c96e1570b8

SHA256
ca24aef558647274d019dfb4d7fd1506d84ec278795c30ba53b81bb36130dc57

SHA512
3cf5825a9c7fb80ea0bd36775a92d07f34cd3709ed2c7c8f500f1c8baa5242768f6d575bd2477b77e3f177e7a4994d5c5bddb24c6eb43b60a6bd83ea026a8198

Download Submit
memory/588-58-0x000007FEFB781000-0x000007FEFB783000-memory.dmp

Filesize
8KB

Download