f28f389ac0824bee4f8747c853e85a78c3c8ee5f07098d49a6528ab40005abe1

Analysis

max time kernel
34s
max time network
30s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
22/12/2022, 16:15

Target

Sprawls.cmd
Size

398B
MD5

8be9afced6299bfb683145290a892c66
SHA1

8683bf70cb829b5a427c78987d3babbf28832564
SHA256

6023190da512fe24e7ea54a7503665e7dc6d0b138f3457e0d52a32de8f8655e4
SHA512

3c1c96e0db23d095dd2ae406cc98755fecfe478e2964fe128a0399b355bf561086d63ba4530142b57579dacf322e7f98aae8044a82d7c90286b8d9ba90841404

Score

1^/10

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

pid	Process
1316	PING.EXE

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 1776	1980	cmd.exe	28
PID 1980 wrote to memory of 1776	1980	cmd.exe	28
PID 1980 wrote to memory of 1776	1980	cmd.exe	28
PID 1980 wrote to memory of 1972	1980	cmd.exe	29
PID 1980 wrote to memory of 1972	1980	cmd.exe	29
PID 1980 wrote to memory of 1972	1980	cmd.exe	29
PID 1980 wrote to memory of 1316	1980	cmd.exe	30
PID 1980 wrote to memory of 1316	1980	cmd.exe	30
PID 1980 wrote to memory of 1316	1980	cmd.exe	30

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Sprawls.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo f"
  2⤵
  PID:1776
- C:\Windows\system32\xcopy.exe
  xcopy C:\Windows\\\\\\system32\\\\\\wscript.exe C:\Users\Admin\AppData\Local\Temp\synechdochism.exe /h /s /e
  2⤵
  PID:1972
- C:\Windows\system32\PING.EXE
  ping 87.31.194.42
  2⤵
  - Runs ping.exe
  PID:1316

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact