aaf658e5a573d58899bd6219b7a1adb4eca722aebb920f612a105e3a72082eef

Analysis

max time kernel
1559s
max time network
1560s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
17-02-2024 15:07

Target

Loveware-master/Loveware/Loveware.bat
Size

27KB
MD5

499c5aa1b21e9029f76bc57de37907ad
SHA1

a2552f2bc1f7d10eb409e864d15065ff1cab94b9
SHA256

eacce5121ddb3922e6234a3210e9e291028d0520e1ceb7e325d3a093917eb228
SHA512

56e9bacfe08f6511ad54c4134f7a051b434e0e3db60a73eebd4d3f12dd29f9f95ed77e54765ec10f4b50894e2ba0ee0de66288c148f1feef9084f61baaa41a50
SSDEEP

384:0omL5IjEZiZryAOENuPuOJsYTQpLuLpDq7QYfLGMV+jasHHLgLxLJsYTgV+L0py/:0nmNu2OJsYTBJcJsYTtz9aF4GC

Score

4^/10

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ifvm.vbs	cmd.exe
File opened for modification	C:\Windows\ifvm.vbs	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1884	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1884	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1268 wrote to memory of 2860	1268	cmd.exe	29
PID 1268 wrote to memory of 2860	1268	cmd.exe	29
PID 1268 wrote to memory of 2860	1268	cmd.exe	29
PID 2860 wrote to memory of 1884	2860	cmd.exe	30
PID 2860 wrote to memory of 1884	2860	cmd.exe	30
PID 2860 wrote to memory of 1884	2860	cmd.exe	30
PID 1268 wrote to memory of 2580	1268	cmd.exe	32
PID 1268 wrote to memory of 2580	1268	cmd.exe	32
PID 1268 wrote to memory of 2580	1268	cmd.exe	32

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Loveware-master\Loveware\Loveware.bat"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1268
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerShell.exe -command " (gwmi Win32_BaseBoard).Manufacturer -eq 'Microsoft Corporation' "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -command " (gwmi Win32_BaseBoard).Manufacturer -eq 'Microsoft Corporation' "
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1884
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\ifvm.vbs"
  2⤵
  PID:2580

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Windows\ifvm.vbs

Filesize
246B

MD5
6c1a5496a5e830f65bb650d7ecd95767

SHA1
2ec967c077c7551e62977119afde36a56def19af

SHA256
4c1c3d1a518e0f63642d906ba0d97ed394b0bca2fc5a3437e7f30a3f479197d0

SHA512
ba6f4f9804ca91abd7341b5bb009042990473ebbd0ca8cb8be54dff88ac47db4cb054f2b8a2630e0af2587ef94c9781f31a582fd252d47d97752e23eacfd820a

Download Submit
memory/1884-4-0x000000001B7D0000-0x000000001BAB2000-memory.dmp

Filesize
2.9MB

Download
memory/1884-5-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/1884-6-0x000007FEF58D0000-0x000007FEF626D000-memory.dmp

Filesize
9.6MB

Download
memory/1884-7-0x0000000002DC0000-0x0000000002E40000-memory.dmp

Filesize
512KB

Download
memory/1884-8-0x000007FEF58D0000-0x000007FEF626D000-memory.dmp

Filesize
9.6MB

Download
memory/1884-9-0x0000000002DC0000-0x0000000002E40000-memory.dmp

Filesize
512KB

Download
memory/1884-10-0x0000000002DC0000-0x0000000002E40000-memory.dmp

Filesize
512KB

Download
memory/1884-11-0x0000000002DC0000-0x0000000002E40000-memory.dmp

Filesize
512KB

Download
memory/1884-12-0x000007FEF58D0000-0x000007FEF626D000-memory.dmp

Filesize
9.6MB

Download