2c9a1589ddb6fb301b4900816e51faf0cde4d90148e1c233d25862be62bb2dd8 | Triage

Analysis

max time kernel
41s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06-12-2022 13:33

Sharing

Report Analysis Logs

General

Target

sandalwood/mynah.cmd
Size

299B
MD5

da182f2f18108a219f8ef565e54868e6
SHA1

5db854d6814cae549ab0389fa043a7b48f5d80dc
SHA256

f861ae19db7fb3de597e5bb2fa83fc387cda06108461b805bda8025849e04fff
SHA512

f18aa570d02507604a024edce17b15cb7f1e8790d7f865a54180a224ce6bcb66eeb7df9e96a1742c9b01923858c243bc750cc2f77e3b010c02364343a1da939f

Score

1^/10

Malware Config

Signatures

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1828 wrote to memory of 1748	1828	cmd.exe	28
PID 1828 wrote to memory of 1748	1828	cmd.exe	28
PID 1828 wrote to memory of 1748	1828	cmd.exe	28

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\sandalwood\mynah.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:1828
- C:\Windows\system32\replace.exe
  replace C:\Windows\\32\\r32.exe C:\Users\Admin\AppData\Local\Temp /A
  2⤵
  PID:1748

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1748-54-0x0000000000000000-mapping.dmp

Download