Overview
overview
10Static
static
Odwikp.dll
windows7-x64
10Odwikp.dll
windows10-2004-x64
10Unpaid_394...1.html
windows7-x64
1Unpaid_394...1.html
windows10-2004-x64
1document_3...ta.lnk
windows7-x64
3document_3...ta.lnk
windows10-2004-x64
3document_3...ed.bat
windows7-x64
1document_3...ed.bat
windows10-2004-x64
1Analysis
-
max time kernel
41s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
08-11-2022 17:45
Static task
static1
Behavioral task
behavioral1
Sample
Odwikp.dll
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Odwikp.dll
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
Unpaid_3945_Oct31.html
Resource
win7-20220812-en
Behavioral task
behavioral4
Sample
Unpaid_3945_Oct31.html
Resource
win10v2004-20220901-en
Behavioral task
behavioral5
Sample
document_3_Oct31.iso.contents/Data.lnk
Resource
win7-20220812-en
Behavioral task
behavioral6
Sample
document_3_Oct31.iso.contents/Data.lnk
Resource
win10v2004-20220901-en
Behavioral task
behavioral7
Sample
document_3_Oct31.iso.contents/ribfaymasnot/chickenrelaxed.bat
Resource
win7-20220812-en
Behavioral task
behavioral8
Sample
document_3_Oct31.iso.contents/ribfaymasnot/chickenrelaxed.bat
Resource
win10v2004-20220901-en
General
-
Target
document_3_Oct31.iso.contents/ribfaymasnot/chickenrelaxed.bat
-
Size
1KB
-
MD5
828b1399a4a4ed0982be3def3ac1b9ca
-
SHA1
5929cbf6381665b40207e11c009aefae2d215cb1
-
SHA256
0d64fb2cd5cce8f8e8a9ac1c311d1867ec1dadb7622a3bc5e930d1c7063ae62e
-
SHA512
ba142ad12943295363436b2881089318a104a0b5e18c7fffbc52301aa2b5486ad026dadee86f0a242fa19e59d706402557be4d4a48a1f9e2f1dccfcd3bc88833
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid process target process PID 1688 wrote to memory of 928 1688 cmd.exe xcopy.exe PID 1688 wrote to memory of 928 1688 cmd.exe xcopy.exe PID 1688 wrote to memory of 928 1688 cmd.exe xcopy.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\document_3_Oct31.iso.contents\ribfaymasnot\chickenrelaxed.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\xcopy.exexcopy /s /i /e /h ribfaymasnot\shortening.dat C:\Users\Admin\AppData\Local\Temp\*2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/928-54-0x0000000000000000-mapping.dmp