da6c145f300915977c365d9a3d80da918f831b19a4d1e5c726a4fff7ad62c434

Analysis

max time kernel
120s
max time network
130s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16/04/2024, 15:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RickAstley.exe
Size

149KB
MD5

5c70ba1ac352c877a5e6ce65aa9e18a3
SHA1

4f6316aed83e1682a5c4a547f2f8eee1b9dc729c
SHA256

da6c145f300915977c365d9a3d80da918f831b19a4d1e5c726a4fff7ad62c434
SHA512

03501f6dbee4b24043ef47e2662ed4ff3a329bc7571d492f281ff175f3268b05f0281e3fa6aeafc1ad9f42b4591dce807565ff1028f21afd499081d76e17404c
SSDEEP

3072:R7DhdC6kzWypvaQ0FxyNTBfyDYXbkfiH/6uiITmjW3E9y48kCun:RBlkZvaF4NTBKobkGy4mjkun

Score

1^/10

Malware Config

Signatures

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1444 wrote to memory of 2724	1444	RickAstley.exe	29
PID 1444 wrote to memory of 2724	1444	RickAstley.exe	29
PID 1444 wrote to memory of 2724	1444	RickAstley.exe	29
PID 1444 wrote to memory of 2724	1444	RickAstley.exe	29
PID 2724 wrote to memory of 2612	2724	cmd.exe	30
PID 2724 wrote to memory of 2612	2724	cmd.exe	30
PID 2724 wrote to memory of 2612	2724	cmd.exe	30
PID 2724 wrote to memory of 2648	2724	cmd.exe	31
PID 2724 wrote to memory of 2648	2724	cmd.exe	31
PID 2724 wrote to memory of 2648	2724	cmd.exe	31
PID 2724 wrote to memory of 2644	2724	cmd.exe	32
PID 2724 wrote to memory of 2644	2724	cmd.exe	32
PID 2724 wrote to memory of 2644	2724	cmd.exe	32
PID 2724 wrote to memory of 2692	2724	cmd.exe	33
PID 2724 wrote to memory of 2692	2724	cmd.exe	33
PID 2724 wrote to memory of 2692	2724	cmd.exe	33
PID 2724 wrote to memory of 2984	2724	cmd.exe	34
PID 2724 wrote to memory of 2984	2724	cmd.exe	34
PID 2724 wrote to memory of 2984	2724	cmd.exe	34
PID 2724 wrote to memory of 2520	2724	cmd.exe	35
PID 2724 wrote to memory of 2520	2724	cmd.exe	35
PID 2724 wrote to memory of 2520	2724	cmd.exe	35
PID 2724 wrote to memory of 2568	2724	cmd.exe	36
PID 2724 wrote to memory of 2568	2724	cmd.exe	36
PID 2724 wrote to memory of 2568	2724	cmd.exe	36
PID 2724 wrote to memory of 2016	2724	cmd.exe	37
PID 2724 wrote to memory of 2016	2724	cmd.exe	37
PID 2724 wrote to memory of 2016	2724	cmd.exe	37
PID 2724 wrote to memory of 2464	2724	cmd.exe	38
PID 2724 wrote to memory of 2464	2724	cmd.exe	38
PID 2724 wrote to memory of 2464	2724	cmd.exe	38
PID 2724 wrote to memory of 2896	2724	cmd.exe	39
PID 2724 wrote to memory of 2896	2724	cmd.exe	39
PID 2724 wrote to memory of 2896	2724	cmd.exe	39
PID 2724 wrote to memory of 1684	2724	cmd.exe	40
PID 2724 wrote to memory of 1684	2724	cmd.exe	40
PID 2724 wrote to memory of 1684	2724	cmd.exe	40
PID 2724 wrote to memory of 1076	2724	cmd.exe	41
PID 2724 wrote to memory of 1076	2724	cmd.exe	41
PID 2724 wrote to memory of 1076	2724	cmd.exe	41
PID 2724 wrote to memory of 2756	2724	cmd.exe	42
PID 2724 wrote to memory of 2756	2724	cmd.exe	42
PID 2724 wrote to memory of 2756	2724	cmd.exe	42
PID 2724 wrote to memory of 2784	2724	cmd.exe	43
PID 2724 wrote to memory of 2784	2724	cmd.exe	43
PID 2724 wrote to memory of 2784	2724	cmd.exe	43
PID 2724 wrote to memory of 2992	2724	cmd.exe	44
PID 2724 wrote to memory of 2992	2724	cmd.exe	44
PID 2724 wrote to memory of 2992	2724	cmd.exe	44
PID 2724 wrote to memory of 856	2724	cmd.exe	45
PID 2724 wrote to memory of 856	2724	cmd.exe	45
PID 2724 wrote to memory of 856	2724	cmd.exe	45
PID 2724 wrote to memory of 1748	2724	cmd.exe	46
PID 2724 wrote to memory of 1748	2724	cmd.exe	46
PID 2724 wrote to memory of 1748	2724	cmd.exe	46
PID 2724 wrote to memory of 1696	2724	cmd.exe	47
PID 2724 wrote to memory of 1696	2724	cmd.exe	47
PID 2724 wrote to memory of 1696	2724	cmd.exe	47
PID 2724 wrote to memory of 1648	2724	cmd.exe	48
PID 2724 wrote to memory of 1648	2724	cmd.exe	48
PID 2724 wrote to memory of 1648	2724	cmd.exe	48
PID 2724 wrote to memory of 1672	2724	cmd.exe	49
PID 2724 wrote to memory of 1672	2724	cmd.exe	49
PID 2724 wrote to memory of 1672	2724	cmd.exe	49

C:\Users\Admin\AppData\Local\Temp\RickAstley.exe
"C:\Users\Admin\AppData\Local\Temp\RickAstley.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1444
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\36BA.tmp\36BB.tmp\36BC.bat C:\Users\Admin\AppData\Local\Temp\RickAstley.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Windows\system32\cscript.exe
    cscript /nologo C:\Users\Admin\AppData\Local\Temp\tmp.vbs
    3⤵
    PID:2612
- - C:\Windows\system32\cscript.exe
    cscript /nologo C:\Users\Admin\AppData\Local\Temp\tmp.vbs
    3⤵
    PID:2648
- - C:\Windows\system32\cscript.exe
    cscript /nologo C:\Users\Admin\AppData\Local\Temp\tmp.vbs
    3⤵
    PID:2644
- - C:\Windows\system32\cscript.exe
    cscript /nologo C:\Users\Admin\AppData\Local\Temp\tmp.vbs
    3⤵
    PID:2692
- - C:\Windows\system32\cscript.exe
    cscript /nologo C:\Users\Admin\AppData\Local\Temp\tmp.vbs
    3⤵
    PID:2984
- - C:\Windows\system32\cscript.exe
    cscript /nologo C:\Users\Admin\AppData\Local\Temp\tmp.vbs
    3⤵
    PID:2520
- - C:\Windows\system32\cscript.exe
    cscript /nologo C:\Users\Admin\AppData\Local\Temp\tmp.vbs
    3⤵
    PID:2568
- - C:\Windows\system32\cscript.exe
    cscript /nologo C:\Users\Admin\AppData\Local\Temp\tmp.vbs
    3⤵
    PID:2016
- - C:\Windows\system32\cscript.exe
    cscript /nologo C:\Users\Admin\AppData\Local\Temp\tmp.vbs
    3⤵
    PID:2464
- - C:\Windows\system32\cscript.exe
    cscript /nologo C:\Users\Admin\AppData\Local\Temp\tmp.vbs
    3⤵
    PID:2896
- - C:\Windows\system32\cscript.exe
    cscript /nologo C:\Users\Admin\AppData\Local\Temp\tmp.vbs
    3⤵
    PID:1684
- - C:\Windows\system32\cscript.exe
    cscript /nologo C:\Users\Admin\AppData\Local\Temp\tmp.vbs
    3⤵
    PID:1076
- - C:\Windows\system32\cscript.exe
    cscript /nologo C:\Users\Admin\AppData\Local\Temp\tmp.vbs
    3⤵
    PID:2756
- - C:\Windows\system32\cscript.exe
    cscript /nologo C:\Users\Admin\AppData\Local\Temp\tmp.vbs
    3⤵
    PID:2784
- - C:\Windows\system32\cscript.exe
    cscript /nologo C:\Users\Admin\AppData\Local\Temp\tmp.vbs
    3⤵
    PID:2992
- - C:\Windows\system32\cscript.exe
    cscript /nologo C:\Users\Admin\AppData\Local\Temp\tmp.vbs
    3⤵
    PID:856
- - C:\Windows\system32\cscript.exe
    cscript /nologo C:\Users\Admin\AppData\Local\Temp\tmp.vbs
    3⤵
    PID:1748
- - C:\Windows\system32\cscript.exe
    cscript /nologo C:\Users\Admin\AppData\Local\Temp\tmp.vbs
    3⤵
    PID:1696
- - C:\Windows\system32\cscript.exe
    cscript /nologo C:\Users\Admin\AppData\Local\Temp\tmp.vbs
    3⤵
    PID:1648
- - C:\Windows\system32\cscript.exe
    cscript /nologo C:\Users\Admin\AppData\Local\Temp\tmp.vbs
    3⤵
    PID:1672
- - C:\Windows\system32\cscript.exe
    cscript /nologo C:\Users\Admin\AppData\Local\Temp\tmp.vbs
    3⤵
    PID:588
- - C:\Windows\system32\cscript.exe
    cscript /nologo C:\Users\Admin\AppData\Local\Temp\tmp.vbs
    3⤵
    PID:1344
- - C:\Windows\system32\cscript.exe
    cscript /nologo C:\Users\Admin\AppData\Local\Temp\tmp.vbs
    3⤵
    PID:440
- - C:\Windows\system32\cscript.exe
    cscript /nologo C:\Users\Admin\AppData\Local\Temp\tmp.vbs
    3⤵
    PID:1500
- - C:\Windows\system32\cscript.exe
    cscript /nologo C:\Users\Admin\AppData\Local\Temp\tmp.vbs
    3⤵
    PID:280
- - C:\Windows\system32\cscript.exe
    cscript /nologo C:\Users\Admin\AppData\Local\Temp\tmp.vbs
    3⤵
    PID:980
- - C:\Windows\system32\cscript.exe
    cscript /nologo C:\Users\Admin\AppData\Local\Temp\tmp.vbs
    3⤵
    PID:1700
- - C:\Windows\system32\cscript.exe
    cscript /nologo C:\Users\Admin\AppData\Local\Temp\tmp.vbs
    3⤵
    PID:1224
- - C:\Windows\system32\cscript.exe
    cscript /nologo C:\Users\Admin\AppData\Local\Temp\tmp.vbs
    3⤵
    PID:2528

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\36BA.tmp\36BB.tmp\36BC.bat

Filesize
1KB

MD5
1fe3aa05b5d5414395435238628609ba

SHA1
a1eb0a0015fec45617d884de097c7906b19c5998

SHA256
f3c27308bc6ed741431a90e0475ff1f11686f75bf0fadee5276dcaaa5115fb67

SHA512
77650aaf6bd76a87aea437e3927ae8382a4d4b6fca5dfb78c1d96d399e411e9a55d6c0d2d326c4639504eed2eed702084ba8c15795e76cf3712c83e6ebb8242c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.vbs

Filesize
40B

MD5
8dae9203ec01b52868c2f36f6570a843

SHA1
8a3660cb6a008f1274859e96a6aef7865eacf070

SHA256
ebbf6c35a03d10686f47c06854e90343af904d013dc1cee8733dc0e47f9f83f4

SHA512
288228165c78a3b68f4a163b68f8dcd4a82d9a3eeab97478ed207359c908e0f5b5a1b73f09d707fea496139db0abd20eb83a5f93f57dbfc04f7a9481c27ba7e2

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads