7d47a48cf6aa0f78edc6fb4e595cb49dd372a5997aee15156b38fe3ad126e962

Analysis

max time kernel
142s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
02/03/2023, 01:15

Target

prepolice/Ptomatropine/AccentedPecked/pigsney.cmd
Size

732B
MD5

79b7237476524b5b3ba994dddb148333
SHA1

942cecd35ee50f0ba8a2012dc5b3b93f96d263e9
SHA256

3434b023e3b29fccbc093730fc62164622a48d303fd715f5ce88293be43d0061
SHA512

fa021dd499791c11bece0e9289a346dba8cd6256946376c56e2560c6c0f23e07869c5bb811963976f8caf989137f955d56d1eba2e64afd2457fb8141ad856054

Score

7^/10

Executes dropped EXE 2 IoCs

pid	Process
4708	Vaporographic.exe
404	SclaffertAcetimetry.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 376 wrote to memory of 2688	376	cmd.exe	87
PID 376 wrote to memory of 2688	376	cmd.exe	87
PID 376 wrote to memory of 116	376	cmd.exe	88
PID 376 wrote to memory of 116	376	cmd.exe	88
PID 376 wrote to memory of 1324	376	cmd.exe	90
PID 376 wrote to memory of 1324	376	cmd.exe	90
PID 376 wrote to memory of 2876	376	cmd.exe	89
PID 376 wrote to memory of 2876	376	cmd.exe	89
PID 376 wrote to memory of 4708	376	cmd.exe	91
PID 376 wrote to memory of 4708	376	cmd.exe	91
PID 376 wrote to memory of 404	376	cmd.exe	92
PID 376 wrote to memory of 404	376	cmd.exe	92

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\prepolice\Ptomatropine\AccentedPecked\pigsney.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:376
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo f"
  2⤵
  PID:2688
- C:\Windows\system32\xcopy.exe
  xcopy C:\Windows\\\\\\system32\\\\\\wscript.exe C:\Users\Admin\AppData\Local\Temp\SclaffertAcetimetry.exe /h /s /e
  2⤵
  PID:116
- C:\Windows\system32\xcopy.exe
  xcopy C:\Windows\\\\\\system32\\\\\\reg.exe C:\Users\Admin\AppData\Local\Temp\Vaporographic.exe /h /s /e
  2⤵
  PID:2876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo f"
  2⤵
  PID:1324
- C:\Users\Admin\AppData\Local\Temp\Vaporographic.exe
  C:\Users\Admin\AppData\Local\Temp\Vaporographic.exe import MessinesBroggle\outsweeping.VEs
  2⤵
  - Executes dropped EXE
  PID:4708
- C:\Users\Admin\AppData\Local\Temp\SclaffertAcetimetry.exe
  C:\Users\Admin\AppData\Local\Temp\SclaffertAcetimetry.exe MessinesBroggle\Practice.wsf
  2⤵
  - Executes dropped EXE
  PID:404

C:\Users\Admin\AppData\Local\Temp\SclaffertAcetimetry.exe

Filesize
166KB

MD5
a47cbe969ea935bdd3ab568bb126bc80

SHA1
15f2facfd05daf46d2c63912916bf2887cebd98a

SHA256
34008e2057df8842df210246995385a0441dc1e081d60ad15bd481e062e7f100

SHA512
f5c81e6dc4d916944304fc85136e1ff6dee29a21e50a54fe6280a475343eccbfe094171d62475db5f38e07898c061126158c34d48b9d8f4f57f76d49e564e3fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\SclaffertAcetimetry.exe

Filesize
166KB

MD5
a47cbe969ea935bdd3ab568bb126bc80

SHA1
15f2facfd05daf46d2c63912916bf2887cebd98a

SHA256
34008e2057df8842df210246995385a0441dc1e081d60ad15bd481e062e7f100

SHA512
f5c81e6dc4d916944304fc85136e1ff6dee29a21e50a54fe6280a475343eccbfe094171d62475db5f38e07898c061126158c34d48b9d8f4f57f76d49e564e3fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vaporographic.exe

Filesize
75KB

MD5
227f63e1d9008b36bdbcc4b397780be4

SHA1
c0db341defa8ef40c03ed769a9001d600e0f4dae

SHA256
c0e25b1f9b22de445298c1e96ddfcead265ca030fa6626f61a4a4786cc4a3b7d

SHA512
101907b994d828c83587c483b4984f36caf728b766cb7a417b549852a6207e2a3fe9edc8eff5eeab13e32c4cf1417a3adccc089023114ea81974c5e6b355fed9

Download Submit