Analysis
-
max time kernel
91s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
15-11-2022 10:25
Static task
static1
Behavioral task
behavioral1
Sample
pss10r.chm
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
pss10r.chm
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
run.cmd
Resource
win7-20220901-en
Behavioral task
behavioral4
Sample
run.cmd
Resource
win10v2004-20220812-en
Behavioral task
behavioral5
Sample
ver123.dll
Resource
win7-20220812-en
Behavioral task
behavioral6
Sample
ver123.dll
Resource
win10v2004-20220812-en
General
-
Target
run.cmd
-
Size
159B
-
MD5
bc2545a660518ef0271bdd6a8be3513c
-
SHA1
ac0e485fe9101774c61a50d81dec32e174795e08
-
SHA256
f96ca4d15febe51758689d9c93c5ff06449a67aacc9b619c249dd00f7b65d179
-
SHA512
6b7dc66814b4a74dd8b39c631f24bef16a98a5ac18bb7e31531c41b54c239a56e1050ed3d7f48c9e7a9da094177bd6930148c08eb4ca937a59ca4eb235fc142a
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
autorun.exepid process 3620 autorun.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
cmd.exedescription pid process target process PID 3160 wrote to memory of 4440 3160 cmd.exe cmd.exe PID 3160 wrote to memory of 4440 3160 cmd.exe cmd.exe PID 3160 wrote to memory of 1744 3160 cmd.exe xcopy.exe PID 3160 wrote to memory of 1744 3160 cmd.exe xcopy.exe PID 3160 wrote to memory of 3620 3160 cmd.exe autorun.exe PID 3160 wrote to memory of 3620 3160 cmd.exe autorun.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\run.cmd"1⤵
- Suspicious use of WriteProcessMemory
PID:3160 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f "2⤵PID:4440
-
C:\Windows\system32\xcopy.exexcopy /h /y \ver123.dll C:\Users\Admin\AppData\Local\Temp\LotOfLibraries.12⤵PID:1744
-
C:\Users\Admin\AppData\Local\Temp\autorun.exeC:\Users\Admin\AppData\Local\Temp\autorun.exe C:\Users\Admin\AppData\Local\Temp\LotOfLibraries.1,#12⤵
- Executes dropped EXE
PID:3620
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\autorun.exeFilesize
70KB
MD5ef3179d498793bf4234f708d3be28633
SHA1dd399ae46303343f9f0da189aee11c67bd868222
SHA256b53f3c0cd32d7f20849850768da6431e5f876b7bfa61db0aa0700b02873393fa
SHA51202aff154762d7e53e37754f878ce6aa3f4df5a1eb167e27f13d9762dced32bec892bfa3f3314e3c6dce5998f7d3c400d7d0314b9326eedcab72207c60b3d332e
-
C:\Users\Admin\AppData\Local\Temp\autorun.exeFilesize
70KB
MD5ef3179d498793bf4234f708d3be28633
SHA1dd399ae46303343f9f0da189aee11c67bd868222
SHA256b53f3c0cd32d7f20849850768da6431e5f876b7bfa61db0aa0700b02873393fa
SHA51202aff154762d7e53e37754f878ce6aa3f4df5a1eb167e27f13d9762dced32bec892bfa3f3314e3c6dce5998f7d3c400d7d0314b9326eedcab72207c60b3d332e
-
memory/1744-133-0x0000000000000000-mapping.dmp
-
memory/3620-134-0x0000000000000000-mapping.dmp
-
memory/4440-132-0x0000000000000000-mapping.dmp