396de0692dfdb825fb6e982df7350d0517c03ffdf293d8b5b3ca1daae68f8532

Analysis

max time kernel
835s
max time network
838s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
17/11/2023, 19:13

Target

ovisetup.exe
Size

7KB
MD5

30c869f86070bb17506fdc6aeaf84d60
SHA1

0cd0309850ea039337e98dd3bf9eef5706de459d
SHA256

396de0692dfdb825fb6e982df7350d0517c03ffdf293d8b5b3ca1daae68f8532
SHA512

31f0349713e80284dedc9ca8fe712005c4ba592ee2744532e5611c3969c6d4af1ccf63a2ec389b5426f2add0cb68161dd87c0abb2256b7319ab19a0766fdf9af
SSDEEP

192:3Le038gJvNdaLix9upSiP/VunlYJLLLTutQH5cqbx:3Le038gzdaLiG3hPLTuKHTb

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 2672	2400	ovisetup.exe	28
PID 2400 wrote to memory of 2672	2400	ovisetup.exe	28
PID 2400 wrote to memory of 2672	2400	ovisetup.exe	28
PID 2672 wrote to memory of 2852	2672	cmd.exe	30
PID 2672 wrote to memory of 2852	2672	cmd.exe	30
PID 2672 wrote to memory of 2852	2672	cmd.exe	30
PID 2672 wrote to memory of 2700	2672	cmd.exe	31
PID 2672 wrote to memory of 2700	2672	cmd.exe	31
PID 2672 wrote to memory of 2700	2672	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\ovisetup.exe
"C:\Users\Admin\AppData\Local\Temp\ovisetup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\cmd.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\msg.vbs"
    3⤵
    PID:2852
- - C:\Windows\system32\rundll32.exe
    RUNDLL32 USER32.DLL,SwapMouseButton
    3⤵
    PID:2700

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\cmd.bat

Filesize
161B

MD5
5ef09827bef4aad974e23b11eb0a8067

SHA1
a482275ff4638789696dddd8507c0cf4a1e441d4

SHA256
f30351b84dce801806c68cdac9b967452fe8abd05ccf3190ba1d9ad025e14c9c

SHA512
aa7d1f5315206e7fffeec03c12283b987b4342d670c35bd01c6c283115ecb8525fd4227e8fb49d952ef33badac703a20c5c7683a548c1fa37b5c89ed5d197406

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.bat

Filesize
161B

MD5
5ef09827bef4aad974e23b11eb0a8067

SHA1
a482275ff4638789696dddd8507c0cf4a1e441d4

SHA256
f30351b84dce801806c68cdac9b967452fe8abd05ccf3190ba1d9ad025e14c9c

SHA512
aa7d1f5315206e7fffeec03c12283b987b4342d670c35bd01c6c283115ecb8525fd4227e8fb49d952ef33badac703a20c5c7683a548c1fa37b5c89ed5d197406

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg.vbs

Filesize
61B

MD5
b06245c484cbf5dde40e2d51f5861e21

SHA1
990698a4e3a8a91fb860736a7224e056e39e110b

SHA256
1b5f170a8ff16756eb8fa3d6201114aa517ceb99f512a5a2a2005141c17e5102

SHA512
760a76d6afd2863f3263cad3508cfa0049914f8b779756104a53de20aa190c6bd7219b840db63a040a7db99a80b94771bb09ecdc89bcbd9285ebda35b33da081

Download Submit
memory/2400-0-0x0000000000B40000-0x0000000000B48000-memory.dmp

Filesize
32KB

Download
memory/2400-2-0x000007FEF5440000-0x000007FEF5E2C000-memory.dmp

Filesize
9.9MB

Download
memory/2400-10-0x000007FEF5440000-0x000007FEF5E2C000-memory.dmp

Filesize
9.9MB

Download