Overview

overview

10

Static

static

IRS_Form_1...an.lnk

windows7-x64

10

IRS_Form_1...an.lnk

windows10-2004-x64

10

IRS_Form_1...Zv.cmd

windows7-x64

1

IRS_Form_1...Zv.cmd

windows10-2004-x64

1

IRS_Form_1...ng.dll

windows7-x64

10

IRS_Form_1...ng.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    4s
  • max time network
    34s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    02-12-2022 11:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    IRS_Form_12-01-9/wiglid/foeZv.cmd

  • Size

    1KB

  • MD5

    b5459c0fe4204241778525745d7b0a4c

  • SHA1

    4e8a41c6b36fb0f3bdc9d76b231c43924bb29779

  • SHA256

    ba1f1006aa00426a49734c8964ade417880788a7dbd92ec828705ea0bbdfcdbc

  • SHA512

    41ae13b28fb583aaed892bae735817f653caa8246c435e55dc96874b04f0222b1f35065b0bd9ba9305194a297d8c752043fa916c48751cf9bc1d899d82f77067

Score
1/10

Malware Config

Signatures

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\IRS_Form_12-01-9\wiglid\foeZv.cmd"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1368
    • C:\Windows\system32\xcopy.exe
      xcopy /s /i /e /h wiglid\laborsaving.dll C:\Users\Admin\AppData\Local\Temp\*
      2⤵
        PID:1756

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1756-54-0x0000000000000000-mapping.dmp
      Download