acd9fa27b779469770a4c53602c8bbd33607e1624bf6b5dfd605e2211aa9bae4 | Triage

Analysis

max time kernel
43s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
09-01-2023 21:02

Sharing

Report Analysis Logs

General

Target

firvetourg/denmedmudc.cmd
Size

1KB
MD5

c28f4835e4522c127c5d0306e4882bc3
SHA1

26c24e97e961d50cd6ac2c88d307a000f85e89fc
SHA256

01ef8a55d948b5b1c60741b689fa31a755bca5f1d0b13b34282ad0031b754797
SHA512

5511c255f2129282ce1da65711f76d039f2f4b4231db2f0395b3eee76cad61c5098d4f151f4701705fedad4bd23a8818377eee6fa592af3fedef58df25676bf8

Score

1^/10

Malware Config

Signatures

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 856 wrote to memory of 996	856	cmd.exe	xcopy.exe
PID 856 wrote to memory of 996	856	cmd.exe	xcopy.exe
PID 856 wrote to memory of 996	856	cmd.exe	xcopy.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\firvetourg\denmedmudc.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:856

C:\Windows\system32\xcopy.exe
xcopy /s /i /e /h firvetourg\reencountering.dat C:\Users\Admin\AppData\Local\Temp\*
2⤵
PID:996

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/996-54-0x0000000000000000-mapping.dmp

Download