ddc3206eae89bd6c15dcfc30ffad30de4d8e9d5f2122bc674115b3820979cdf3

Analysis

max time kernel
29s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
24-11-2022 04:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ddc3206eae89bd6c15dcfc30ffad30de4d8e9d5f2122bc674115b3820979cdf3.exe
Size

79KB
MD5

ea02ff7618e819e4517ae4225031e763
SHA1

0a6c7cd2fd25f2d73edc58f3da2336d18599ebc8
SHA256

ddc3206eae89bd6c15dcfc30ffad30de4d8e9d5f2122bc674115b3820979cdf3
SHA512

efea6e114e9b8829b4b9e3e0128123a6241bea5f4988a8422c2c8c6e7af6d71c57ee5e19bfd7b7b9332f5e2eb04eba07e28a9deb18abc02dcbe6a6a918e47d68
SSDEEP

768:y0dpnF5/ija+1I+NYVawgYvCAvEZQ25AX94JosOy5upx/0LTWHiqZl84woTMejO8:rdJyqnvE3tJSbF0LiHi3ESUU2xaVm

Score

1^/10

Malware Config

Signatures

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1096	cmd.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1268 wrote to memory of 1096	1268	ddc3206eae89bd6c15dcfc30ffad30de4d8e9d5f2122bc674115b3820979cdf3.exe	28
PID 1268 wrote to memory of 1096	1268	ddc3206eae89bd6c15dcfc30ffad30de4d8e9d5f2122bc674115b3820979cdf3.exe	28
PID 1268 wrote to memory of 1096	1268	ddc3206eae89bd6c15dcfc30ffad30de4d8e9d5f2122bc674115b3820979cdf3.exe	28
PID 1268 wrote to memory of 1096	1268	ddc3206eae89bd6c15dcfc30ffad30de4d8e9d5f2122bc674115b3820979cdf3.exe	28
PID 1096 wrote to memory of 852	1096	cmd.exe	30
PID 1096 wrote to memory of 852	1096	cmd.exe	30
PID 1096 wrote to memory of 852	1096	cmd.exe	30
PID 1096 wrote to memory of 852	1096	cmd.exe	30
PID 1096 wrote to memory of 564	1096	cmd.exe	31
PID 1096 wrote to memory of 564	1096	cmd.exe	31
PID 1096 wrote to memory of 564	1096	cmd.exe	31
PID 1096 wrote to memory of 564	1096	cmd.exe	31
PID 1096 wrote to memory of 1092	1096	cmd.exe	32
PID 1096 wrote to memory of 1092	1096	cmd.exe	32
PID 1096 wrote to memory of 1092	1096	cmd.exe	32
PID 1096 wrote to memory of 1092	1096	cmd.exe	32
PID 1096 wrote to memory of 1168	1096	cmd.exe	33
PID 1096 wrote to memory of 1168	1096	cmd.exe	33
PID 1096 wrote to memory of 1168	1096	cmd.exe	33
PID 1096 wrote to memory of 1168	1096	cmd.exe	33

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1092	attrib.exe

C:\Users\Admin\AppData\Local\Temp\ddc3206eae89bd6c15dcfc30ffad30de4d8e9d5f2122bc674115b3820979cdf3.exe
"C:\Users\Admin\AppData\Local\Temp\ddc3206eae89bd6c15dcfc30ffad30de4d8e9d5f2122bc674115b3820979cdf3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1268
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\12688AAF.bat" "C:\Users\Admin\AppData\Local\Temp\ddc3206eae89bd6c15dcfc30ffad30de4d8e9d5f2122bc674115b3820979cdf3.exe""
  2⤵
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:1096
- - C:\Windows\SysWOW64\mode.com
    mode con:cols=52 lines=18
    3⤵
    PID:852
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c dir /ah /s/b
    3⤵
    PID:564
- - C:\Windows\SysWOW64\attrib.exe
    attrib -r -h -s -a "C:\Users\Admin\AppData\Local\Temp\12688AAF.bat"
    3⤵
    - Views/modifies file attributes
    PID:1092
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c dir/s/b
    3⤵
    PID:1168

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\12688AAF.bat

Filesize
1KB

MD5
69d9e9b5d43cdf8ad7cd65e13581097f

SHA1
9fb2abd847053aab0259db934b6e95246152518b

SHA256
35ac1198454a063f0ab7cadb8f52875d078472e1607720c785edb969ee5dd8cd

SHA512
4ca8dbe12a39caf32a1e8d5533c79a2fe2f72e4501f36b8f91b7abb3797705ff4f3b859bf0b6b102351f618c6750c226e2433685b81ba9b82eb373375e51cbce

Download Submit
C:\Users\Admin\AppData\Local\Temp\12688AAF.bat

Filesize
30B

MD5
d2d3191e05d36c27b597f78f5a03cd5c

SHA1
c69303ec1d325c20ab82b8566acd2d5acea62f99

SHA256
ec091741d014316c2afe977c445ab4039cc74aeb744acb4edc87783ed7572241

SHA512
6dc06519a7d1706199f7a0019c71ec8712248f710746c3a68ffde36af372f4f583e990adde402d34975108ee00946e143f56655e69222b70fe57cc0d1cc0917f

Download Submit
memory/564-57-0x0000000000000000-mapping.dmp

Download
memory/852-56-0x0000000000000000-mapping.dmp

Download
memory/1092-58-0x0000000000000000-mapping.dmp

Download
memory/1096-54-0x0000000000000000-mapping.dmp

Download
memory/1168-59-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads