630da0263f187d1cf936ebdd29c190ddff3ef7591a4fcad9a90ed0f237e74149

Analysis

max time kernel
118s
max time network
123s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
16/07/2023, 08:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

love.exe
Size

96KB
MD5

d9285883feff237e42b1f751d8997db2
SHA1

1fc271bc3f8e9bc7ab891616ea316557ddc9a830
SHA256

630da0263f187d1cf936ebdd29c190ddff3ef7591a4fcad9a90ed0f237e74149
SHA512

dfbb30d9dd70efad5aac1e9f7da5d06d9ad50ba5fb8ca1cdd1c7cd90642ee68138f30b247c616fe76f39c2bb66a6887d3576f9e9fd26f0a0d0394ba59abf1fb5
SSDEEP

3072:B23rbZi/8GprF3jg/oehGnEZau5zNrMjcXdn:BKr1i/8UFyhGnEZau5zNrMjcXp

Score

1^/10

Malware Config

Signatures

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 2592	2060	love.exe	29
PID 2060 wrote to memory of 2592	2060	love.exe	29
PID 2060 wrote to memory of 2592	2060	love.exe	29
PID 2060 wrote to memory of 2592	2060	love.exe	29
PID 2592 wrote to memory of 2604	2592	cmd.exe	30
PID 2592 wrote to memory of 2604	2592	cmd.exe	30
PID 2592 wrote to memory of 2604	2592	cmd.exe	30
PID 2592 wrote to memory of 2604	2592	cmd.exe	30
PID 2060 wrote to memory of 2664	2060	love.exe	31
PID 2060 wrote to memory of 2664	2060	love.exe	31
PID 2060 wrote to memory of 2664	2060	love.exe	31
PID 2060 wrote to memory of 2664	2060	love.exe	31
PID 2060 wrote to memory of 1796	2060	love.exe	32
PID 2060 wrote to memory of 1796	2060	love.exe	32
PID 2060 wrote to memory of 1796	2060	love.exe	32
PID 2060 wrote to memory of 1796	2060	love.exe	32
PID 2060 wrote to memory of 1972	2060	love.exe	33
PID 2060 wrote to memory of 1972	2060	love.exe	33
PID 2060 wrote to memory of 1972	2060	love.exe	33
PID 2060 wrote to memory of 1972	2060	love.exe	33
PID 2060 wrote to memory of 2284	2060	love.exe	34
PID 2060 wrote to memory of 2284	2060	love.exe	34
PID 2060 wrote to memory of 2284	2060	love.exe	34
PID 2060 wrote to memory of 2284	2060	love.exe	34
PID 2284 wrote to memory of 2148	2284	cmd.exe	35
PID 2284 wrote to memory of 2148	2284	cmd.exe	35
PID 2284 wrote to memory of 2148	2284	cmd.exe	35
PID 2284 wrote to memory of 2148	2284	cmd.exe	35
PID 2060 wrote to memory of 2800	2060	love.exe	36
PID 2060 wrote to memory of 2800	2060	love.exe	36
PID 2060 wrote to memory of 2800	2060	love.exe	36
PID 2060 wrote to memory of 2800	2060	love.exe	36
PID 2060 wrote to memory of 2804	2060	love.exe	37
PID 2060 wrote to memory of 2804	2060	love.exe	37
PID 2060 wrote to memory of 2804	2060	love.exe	37
PID 2060 wrote to memory of 2804	2060	love.exe	37
PID 2060 wrote to memory of 2332	2060	love.exe	38
PID 2060 wrote to memory of 2332	2060	love.exe	38
PID 2060 wrote to memory of 2332	2060	love.exe	38
PID 2060 wrote to memory of 2332	2060	love.exe	38
PID 2060 wrote to memory of 2416	2060	love.exe	39
PID 2060 wrote to memory of 2416	2060	love.exe	39
PID 2060 wrote to memory of 2416	2060	love.exe	39
PID 2060 wrote to memory of 2416	2060	love.exe	39
PID 2060 wrote to memory of 2952	2060	love.exe	42
PID 2060 wrote to memory of 2952	2060	love.exe	42
PID 2060 wrote to memory of 2952	2060	love.exe	42
PID 2060 wrote to memory of 2952	2060	love.exe	42

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
2148	attrib.exe

C:\Users\Admin\AppData\Local\Temp\love.exe
"C:\Users\Admin\AppData\Local\Temp\love.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c mode con:cols=0080 lines=0025
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2592
- - C:\Windows\SysWOW64\mode.com
    mode con:cols=0080 lines=0025
    3⤵
    PID:2604
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c title love
  2⤵
  PID:2664
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\myfiles" mkdir "C:\Users\Admin\AppData\Local\Temp\myfiles"
  2⤵
  PID:1796
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\wtmpd" mkdir "C:\Users\Admin\AppData\Local\Temp\wtmpd"
  2⤵
  PID:1972
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib +h C:\Users\Admin\AppData\Local\Temp\wtmpd
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2284
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h C:\Users\Admin\AppData\Local\Temp\wtmpd
    3⤵
    - Views/modifies file attributes
    PID:2148
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c echo:0>C:\Users\Admin\AppData\Local\Temp\i6.t
  2⤵
  PID:2800
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\i6.bat
  2⤵
  PID:2804
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c
  2⤵
  PID:2332
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c pause
  2⤵
  PID:2416
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c
  2⤵
  PID:2952

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\i6.bat

Filesize
173B

MD5
0f8f70e88009593eefaa155a8e31b1d6

SHA1
eabcc3f2135e0919e9456da0a4b1084f3382d4b6

SHA256
941c169c07670650fc6c6148c1cae068b69bac209e05010594e164aafc7cdf8b

SHA512
94df468b963f3c9d133a25e1ffa57039fac01fe960f0f738552ca6440e6242ff48d0b410fe70dd05a62e4842c925c9f2b0220ca9eb9cb4ff5490ada443c9a750

Download Submit
C:\Users\Admin\AppData\Local\Temp\i6.t

Filesize
3B

MD5
a5ea0ad9260b1550a14cc58d2c39b03d

SHA1
f0aedf295071ed34ab8c6a7692223d22b6a19841

SHA256
f1b2f662800122bed0ff255693df89c4487fbdcf453d3524a42d4ec20c3d9c04

SHA512
7c735c613ece191801114785c1ee26a0485cbf1e8ee2c3b85ba1ad290ef75eec9fede5e1a5dc26d504701f3542e6b6457818f4c1d62448d0db40d5f35c357d74

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads