Analysis
-
max time kernel
91s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
07-12-2022 13:02
Static task
static1
Behavioral task
behavioral1
Sample
RR.lnk
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
RR.lnk
Resource
win10v2004-20220901-en
Behavioral task
behavioral3
Sample
unnautical/compassionable.cmd
Resource
win7-20220812-en
Behavioral task
behavioral4
Sample
unnautical/compassionable.cmd
Resource
win10v2004-20220901-en
Behavioral task
behavioral5
Sample
unnautical/pursuit.cmd
Resource
win7-20220901-en
Behavioral task
behavioral6
Sample
unnautical/pursuit.cmd
Resource
win10v2004-20221111-en
Behavioral task
behavioral7
Sample
unnautical/unbundles.dll
Resource
win7-20220901-en
General
-
Target
unnautical/compassionable.cmd
-
Size
279B
-
MD5
54f90e2c06e60852d3f75385d6e6f648
-
SHA1
413c32edcdede34138bdd9d224fe7f9b649c9149
-
SHA256
cc770c3b6d2b8e62d640cdb1628cc6bdbe533dfe0e79f4be5721967a87e0536c
-
SHA512
521f76128948d3f550dc01cef6bb51cb5bc42f0984ed2fa0fb3e8e38f7c9c34bb49872439f1b1646b121ea24dcd283460bba53c76875e0c93d6e71b05125faf5
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
cmd.exedescription pid process target process PID 528 wrote to memory of 2616 528 cmd.exe replace.exe PID 528 wrote to memory of 2616 528 cmd.exe replace.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\unnautical\compassionable.cmd"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\replace.exereplace C:\Windows\\32\\r32.exe C:\Users\Admin\AppData\Local\Temp /A2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2616-132-0x0000000000000000-mapping.dmp