Analysis
-
max time kernel
2s -
max time network
3s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04/04/2024, 17:44
Static task
static1
Behavioral task
behavioral1
Sample
inst.bat
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
inst.bat
Resource
win10v2004-20240226-en
General
-
Target
inst.bat
-
Size
2KB
-
MD5
5db1b6f0dfc6a3e26d9d9b77e6778229
-
SHA1
47e07ee10cb4c315026a465b83bffc282192cd77
-
SHA256
9d547709cc6d3b8a7feb004691b77a5c107a0c6f8ddc00c30934ddaca41d6b53
-
SHA512
f986fa92cc0a11a5d131162bac6c091ce4ed484ec50c4e648a4c5c21eb635f2fbf3ca3f0c39cd9765b4880abf2932bf43c9f7446b5d47b952ec19f3771540659
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2172 wrote to memory of 2596 2172 cmd.exe 29 PID 2172 wrote to memory of 2596 2172 cmd.exe 29 PID 2172 wrote to memory of 2596 2172 cmd.exe 29 PID 2172 wrote to memory of 2532 2172 cmd.exe 30 PID 2172 wrote to memory of 2532 2172 cmd.exe 30 PID 2172 wrote to memory of 2532 2172 cmd.exe 30 PID 2172 wrote to memory of 2892 2172 cmd.exe 31 PID 2172 wrote to memory of 2892 2172 cmd.exe 31 PID 2172 wrote to memory of 2892 2172 cmd.exe 31 PID 2892 wrote to memory of 1744 2892 WScript.exe 32 PID 2892 wrote to memory of 1744 2892 WScript.exe 32 PID 2892 wrote to memory of 1744 2892 WScript.exe 32
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\inst.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\308123135888722084230355\CreateShortcut.vbs"2⤵PID:2596
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\308123135888722084230355\CreateShortcut.vbs"2⤵PID:2532
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Tortilla30812\start.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\System32\cmd.execmd /c ""C:\Users\Admin\Tortilla30812\start.bat" "3⤵PID:1744
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
226B
MD50cc9adeaa67c6b3b8857fc2804436782
SHA1f8e6c3c755f2c25d26f9a229faba31b509bdd80e
SHA256c0823c2624b7e57056efde565319a7d6196402f6c0fb0f46056e469b58f8c71e
SHA512edf558d80c84287cc083714ae21dbe8efa800491d9a6d04514bf965333e02a26334942af6d2575392bfb80d2d88ce8be9125d348c0b531bd014fadb693a39a91
-
Filesize
272B
MD5d1b4ac2acd9a5c91eafc5ecc0a0f0ce7
SHA1984c57795e8cf0633c2c28de5b4fe3b574f068b8
SHA256c7d715165c7d7f6731820f8e5d5ad86412c9ca30e49d4d104356bd5ce5aacfd2
SHA5124dc3f9e831eea06caf19420ab79a1cae7fd507a4fc7c6a3241900c5a6a27050ba61e20050db3f9b39fe745de3cd470eae57f31a8f8b6a2a69cba19ad3baaca83
-
Filesize
56B
MD5db61883bbde38c877704bfb6a0250c3d
SHA1c99635454f759ba967f773cbad5ba7e22ad9eccf
SHA256d2273135ce3bc671ef806e741f85ee966341bf930186452c625487cffcecdba4
SHA5126e0bb2a69651c7e52715458a855b5feae5a19ff09cd0572e5074714bf0afd516d6f324c17ad1402514024933bfbd79f6043b84d1c5aa342ee017ba0612fbd1c8
-
Filesize
120B
MD5835dadc83beed33ba07860401b7f9ccc
SHA111325f5b5b7c18d8a58d122bd41dda68c1c74fe9
SHA256da2a8edcc308be31b548f099437b08c14300e040830e8c88533c8f54f799af79
SHA512345d2fcaf826ccfcb64c62a3056e455e54d8150d58fbbb6d759f53710e107f7d3af833255c5ea495cdee2e92c6f8adb17b35b76bbaa0b81571a3c2a3abe20854