ec40b02808d3d26c4ea23a27aff75f2ae1ea4ae9ae3e6854140efffcedb4a1c1

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
19/09/2023, 06:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

_.bat
Size

1008B
MD5

a321fe09835442a34e675343a6fc2704
SHA1

d4d6672df5e79c4cb62909ad55e1128f72c2bab6
SHA256

ec40b02808d3d26c4ea23a27aff75f2ae1ea4ae9ae3e6854140efffcedb4a1c1
SHA512

57e4f316f1447e0b042b399ea7e88e9615db96e97712f8aaa5bbc62ee80404841ff3a1af46fc3ed8de3c5ea02eea7a7ead62a7c8e8c567ddebec73f78efc526d

Score

7^/10

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_.bat	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_.bat	cmd.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 488 wrote to memory of 1400	488	cmd.exe	29
PID 488 wrote to memory of 1400	488	cmd.exe	29
PID 488 wrote to memory of 1400	488	cmd.exe	29
PID 488 wrote to memory of 2368	488	cmd.exe	30
PID 488 wrote to memory of 2368	488	cmd.exe	30
PID 488 wrote to memory of 2368	488	cmd.exe	30
PID 488 wrote to memory of 2304	488	cmd.exe	31
PID 488 wrote to memory of 2304	488	cmd.exe	31
PID 488 wrote to memory of 2304	488	cmd.exe	31
PID 488 wrote to memory of 2280	488	cmd.exe	32
PID 488 wrote to memory of 2280	488	cmd.exe	32
PID 488 wrote to memory of 2280	488	cmd.exe	32
PID 488 wrote to memory of 1164	488	cmd.exe	33
PID 488 wrote to memory of 1164	488	cmd.exe	33
PID 488 wrote to memory of 1164	488	cmd.exe	33
PID 488 wrote to memory of 632	488	cmd.exe	34
PID 488 wrote to memory of 632	488	cmd.exe	34
PID 488 wrote to memory of 632	488	cmd.exe	34
PID 488 wrote to memory of 2956	488	cmd.exe	35
PID 488 wrote to memory of 2956	488	cmd.exe	35
PID 488 wrote to memory of 2956	488	cmd.exe	35
PID 488 wrote to memory of 1708	488	cmd.exe	36
PID 488 wrote to memory of 1708	488	cmd.exe	36
PID 488 wrote to memory of 1708	488	cmd.exe	36
PID 488 wrote to memory of 2844	488	cmd.exe	37
PID 488 wrote to memory of 2844	488	cmd.exe	37
PID 488 wrote to memory of 2844	488	cmd.exe	37
PID 488 wrote to memory of 2096	488	cmd.exe	38
PID 488 wrote to memory of 2096	488	cmd.exe	38
PID 488 wrote to memory of 2096	488	cmd.exe	38
PID 488 wrote to memory of 2288	488	cmd.exe	39
PID 488 wrote to memory of 2288	488	cmd.exe	39
PID 488 wrote to memory of 2288	488	cmd.exe	39
PID 488 wrote to memory of 1904	488	cmd.exe	40
PID 488 wrote to memory of 1904	488	cmd.exe	40
PID 488 wrote to memory of 1904	488	cmd.exe	40
PID 488 wrote to memory of 2340	488	cmd.exe	41
PID 488 wrote to memory of 2340	488	cmd.exe	41
PID 488 wrote to memory of 2340	488	cmd.exe	41
PID 488 wrote to memory of 2336	488	cmd.exe	42
PID 488 wrote to memory of 2336	488	cmd.exe	42
PID 488 wrote to memory of 2336	488	cmd.exe	42
PID 488 wrote to memory of 2668	488	cmd.exe	43
PID 488 wrote to memory of 2668	488	cmd.exe	43
PID 488 wrote to memory of 2668	488	cmd.exe	43
PID 488 wrote to memory of 2672	488	cmd.exe	44
PID 488 wrote to memory of 2672	488	cmd.exe	44
PID 488 wrote to memory of 2672	488	cmd.exe	44
PID 488 wrote to memory of 2784	488	cmd.exe	45
PID 488 wrote to memory of 2784	488	cmd.exe	45
PID 488 wrote to memory of 2784	488	cmd.exe	45
PID 488 wrote to memory of 2788	488	cmd.exe	46
PID 488 wrote to memory of 2788	488	cmd.exe	46
PID 488 wrote to memory of 2788	488	cmd.exe	46

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\_.bat"
1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:488
- C:\Windows\system32\certutil.exe
  certutil -encode *.DOC encoded.doc
  2⤵
  PID:1400
- C:\Windows\system32\certutil.exe
  certutil -encode *.JPEG encoded.jpeg
  2⤵
  PID:2368
- C:\Windows\system32\certutil.exe
  certutil -encode *.LNK encoded.lnk
  2⤵
  PID:2304
- C:\Windows\system32\certutil.exe
  certutil -encode *.AVI encoded.avi
  2⤵
  PID:2280
- C:\Windows\system32\certutil.exe
  certutil -encode *.MPEG encoded.mpeg
  2⤵
  PID:1164
- C:\Windows\system32\certutil.exe
  certutil -encode *.COM encoded.com
  2⤵
  PID:632
- C:\Windows\system32\certutil.exe
  certutil -encode *.BAT encoded.bat
  2⤵
  PID:2956
- C:\Windows\system32\certutil.exe
  certutil -encode *.MP3 encoded.mp3
  2⤵
  PID:1708
- C:\Windows\system32\certutil.exe
  certutil -encode *.MP4 encoded.mp4
  2⤵
  PID:2844
- C:\Windows\system32\certutil.exe
  certutil -encode *.CSV encoded.csv
  2⤵
  PID:2096
- C:\Windows\system32\certutil.exe
  certutil -encode *.PDF encoded.pdf
  2⤵
  PID:2288
- C:\Windows\system32\certutil.exe
  certutil -encode *.EXE encoded.exe
  2⤵
  PID:1904
- C:\Windows\system32\certutil.exe
  certutil -encode *.PNG encoded.png
  2⤵
  PID:2340
- C:\Windows\system32\certutil.exe
  certutil -encode *.WAV encoded.wav
  2⤵
  PID:2336
- C:\Windows\system32\certutil.exe
  certutil -encode *.PSD encoded.psd
  2⤵
  PID:2668
- C:\Windows\system32\certutil.exe
  certutil -encode *.MOV encoded.mov
  2⤵
  PID:2672
- C:\Windows\system32\certutil.exe
  certutil -encode *.RAR encoded.rar
  2⤵
  PID:2784
- C:\Windows\system32\certutil.exe
  certutil -encode *.PFA encoded.pfa
  2⤵
  PID:2788

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads