Analysis
-
max time kernel
110s -
max time network
116s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
13-12-2023 16:35
Behavioral task
behavioral1
Sample
06ca26d431a929cfd719458da758b7ac404b5865ae720e9ed2b4b3a9f0187280.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
06ca26d431a929cfd719458da758b7ac404b5865ae720e9ed2b4b3a9f0187280.exe
Resource
win10v2004-20231127-en
General
-
Target
06ca26d431a929cfd719458da758b7ac404b5865ae720e9ed2b4b3a9f0187280.exe
-
Size
6.9MB
-
MD5
23969a4ef90b4c3acf54150097f6b1b9
-
SHA1
1c85bff30b3c4f822ac33c48442fdc2f51cd5645
-
SHA256
06ca26d431a929cfd719458da758b7ac404b5865ae720e9ed2b4b3a9f0187280
-
SHA512
c970ee4541af0d8a11c179250ebdb74913b9775f34fe860e3f3840a7b579dcf7ee09aa8cacbc4cb491ad5ec0fb44bf265d9b611b841b5ca21fc04c069b3d1f63
-
SSDEEP
49152:a92mic7iMnbPvRUAm+ugRkqjR7Q8TOc5KubExvCsNGEgveIXB4Iu9NT/IeswF69G:/mP7i+Rf0es5u29NTAcSE8HIX
Malware Config
Signatures
-
Drops startup file 2 IoCs
Processes:
cmd.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchostsw.exe cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchostsw.exe cmd.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
06ca26d431a929cfd719458da758b7ac404b5865ae720e9ed2b4b3a9f0187280.exedescription pid process target process PID 3460 wrote to memory of 4520 3460 06ca26d431a929cfd719458da758b7ac404b5865ae720e9ed2b4b3a9f0187280.exe cmd.exe PID 3460 wrote to memory of 4520 3460 06ca26d431a929cfd719458da758b7ac404b5865ae720e9ed2b4b3a9f0187280.exe cmd.exe PID 3460 wrote to memory of 4520 3460 06ca26d431a929cfd719458da758b7ac404b5865ae720e9ed2b4b3a9f0187280.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\06ca26d431a929cfd719458da758b7ac404b5865ae720e9ed2b4b3a9f0187280.exe"C:\Users\Admin\AppData\Local\Temp\06ca26d431a929cfd719458da758b7ac404b5865ae720e9ed2b4b3a9f0187280.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /Q /C C:\Users\Admin\AppData\Local\Temp/s.bat2⤵
- Drops startup file
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\s.batFilesize
323B
MD52d4d597e3ccc747887f77f9c73888a67
SHA1b1c837d274fa0c789490f1e14d68de695b95254a
SHA256f54cd610db2c92f85a651129e2d581743abd9362ef87674b494ddf157105af97
SHA512e36ef6db374ccbf7a448c8afeb09108a1a89a995235f33034c661153e34855980e63530db732e4b63d46ab50586f6b243781ff184895921e931f3696c0a655cb
-
memory/3460-0-0x0000000000400000-0x0000000000AE4000-memory.dmpFilesize
6.9MB
-
memory/3460-6-0x0000000000400000-0x0000000000AE4000-memory.dmpFilesize
6.9MB