Analysis
-
max time kernel
47s -
max time network
51s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
15-11-2022 10:25
Static task
static1
Behavioral task
behavioral1
Sample
pss10r.chm
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
pss10r.chm
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
run.cmd
Resource
win7-20220901-en
Behavioral task
behavioral4
Sample
run.cmd
Resource
win10v2004-20220812-en
Behavioral task
behavioral5
Sample
ver123.dll
Resource
win7-20220812-en
Behavioral task
behavioral6
Sample
ver123.dll
Resource
win10v2004-20220812-en
General
-
Target
run.cmd
-
Size
159B
-
MD5
bc2545a660518ef0271bdd6a8be3513c
-
SHA1
ac0e485fe9101774c61a50d81dec32e174795e08
-
SHA256
f96ca4d15febe51758689d9c93c5ff06449a67aacc9b619c249dd00f7b65d179
-
SHA512
6b7dc66814b4a74dd8b39c631f24bef16a98a5ac18bb7e31531c41b54c239a56e1050ed3d7f48c9e7a9da094177bd6930148c08eb4ca937a59ca4eb235fc142a
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
autorun.exepid process 2040 autorun.exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 860 cmd.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
cmd.exedescription pid process target process PID 860 wrote to memory of 1776 860 cmd.exe cmd.exe PID 860 wrote to memory of 1776 860 cmd.exe cmd.exe PID 860 wrote to memory of 1776 860 cmd.exe cmd.exe PID 860 wrote to memory of 1088 860 cmd.exe xcopy.exe PID 860 wrote to memory of 1088 860 cmd.exe xcopy.exe PID 860 wrote to memory of 1088 860 cmd.exe xcopy.exe PID 860 wrote to memory of 2040 860 cmd.exe autorun.exe PID 860 wrote to memory of 2040 860 cmd.exe autorun.exe PID 860 wrote to memory of 2040 860 cmd.exe autorun.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\run.cmd"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f "2⤵PID:1776
-
C:\Windows\system32\xcopy.exexcopy /h /y \ver123.dll C:\Users\Admin\AppData\Local\Temp\LotOfLibraries.12⤵PID:1088
-
C:\Users\Admin\AppData\Local\Temp\autorun.exeC:\Users\Admin\AppData\Local\Temp\autorun.exe C:\Users\Admin\AppData\Local\Temp\LotOfLibraries.1,#12⤵
- Executes dropped EXE
PID:2040
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\autorun.exeFilesize
44KB
MD5dd81d91ff3b0763c392422865c9ac12e
SHA1963b55acc8c566876364716d5aafa353995812a8
SHA256f5691b8f200e3196e6808e932630e862f8f26f31cd949981373f23c9d87db8b9
SHA5128a5036ccab9c9e71deb4ecb9598528ca19c2d697a836846d23e1547b24172fa236a798092c7db676929abff830e40f52ce8f3b3bdd8d4c2553d7c021fceaf120
-
\Users\Admin\AppData\Local\Temp\autorun.exeFilesize
44KB
MD5dd81d91ff3b0763c392422865c9ac12e
SHA1963b55acc8c566876364716d5aafa353995812a8
SHA256f5691b8f200e3196e6808e932630e862f8f26f31cd949981373f23c9d87db8b9
SHA5128a5036ccab9c9e71deb4ecb9598528ca19c2d697a836846d23e1547b24172fa236a798092c7db676929abff830e40f52ce8f3b3bdd8d4c2553d7c021fceaf120
-
memory/1088-55-0x0000000000000000-mapping.dmp
-
memory/1776-54-0x0000000000000000-mapping.dmp
-
memory/2040-57-0x0000000000000000-mapping.dmp