Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
07/02/2023, 19:31
Static task
static1
Behavioral task
behavioral1
Sample
REJ_1766.iso
Resource
win10-20220812-en
Behavioral task
behavioral2
Sample
REJ.lnk
Resource
win10-20220901-en
Behavioral task
behavioral3
Sample
oslo/nicks.txt
Resource
win10-20220812-en
Behavioral task
behavioral4
Sample
oslo/they.cmd
Resource
win10-20220812-en
Behavioral task
behavioral5
Sample
oslo/train.png
Resource
win10-20220901-en
General
-
Target
oslo/they.cmd
-
Size
295B
-
MD5
c10b599f771fd5446afb0b257bae3dd2
-
SHA1
bc3f1240c8008d7fc43fe87a0e26a78fe1f1b6d6
-
SHA256
7e6319c5ba4e4b64256c8df9c7a1d62705c9b55627d151c24fbcb372df83cc50
-
SHA512
03f1f0cd120d159f8b95fe71491c3899d36ae1897770c002ab1f75cf0888992bc72516b19f7b6ae1f7a3aac39a50c3f005f0589eb6df34985eed4b0fa4a60107
Malware Config
Signatures
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 428 PING.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4436 wrote to memory of 4204 4436 cmd.exe 67 PID 4436 wrote to memory of 4204 4436 cmd.exe 67 PID 4436 wrote to memory of 428 4436 cmd.exe 68 PID 4436 wrote to memory of 428 4436 cmd.exe 68
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\oslo\they.cmd"1⤵
- Suspicious use of WriteProcessMemory
PID:4436 -
C:\Windows\system32\regsvr32.exeC:\Windows\\\\\\system32\\\\\\regsvr32.exe oslo\trudge.dat2⤵PID:4204
-
-
C:\Windows\system32\PING.EXEping google.com2⤵
- Runs ping.exe
PID:428
-