527fbfad3a7393d22732e5a3f845939fd576cd09e958b97b84368dcf6020bf29 | Triage

Analysis

max time kernel
29s
max time network
50s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
08-12-2022 09:54

Sharing

Report Analysis Logs

General

Target

startles/alwinton.cmd
Size

288B
MD5

0abf85f95180bd65217f7112c72afc47
SHA1

2effde89bfe8c13998152bdf0061ae87111c8696
SHA256

559252146892a488e408ed0bf05d2b610f1f097bc3fa8431e1b44b25415cb3e8
SHA512

b97bdb62ef3034de81ac46693b835e400525260f9af1438a290b6e911335128b3d054dc9a43790a0dfcbe4d5666454296b651d2d16ee5aad913356f7374448df

Score

1^/10

Malware Config

Signatures

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 1964 wrote to memory of 964	1964	cmd.exe	replace.exe
PID 1964 wrote to memory of 964	1964	cmd.exe	replace.exe
PID 1964 wrote to memory of 964	1964	cmd.exe	replace.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\startles\alwinton.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\system32\replace.exe
replace C:\Windows\\32\\r32.exe C:\Users\Admin\AppData\Local\Temp /A
2⤵
PID:964

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/964-54-0x0000000000000000-mapping.dmp

Download