0577b7e8c6a4d394e8be1eff342905b2f2c08490835716bd44e8e5158a3d7149

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
18-04-2024 07:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

resources/app.asar.unpacked/node_modules/screenshot-desktop/lib/win32/screenCapture_1.3.2.bat
Size

13KB
MD5

da0f40d84d72ae3e9324ad9a040a2e58
SHA1

4ca7f6f90fb67dce8470b67010aa19aa0fd6253f
SHA256

818350a4fb4146072a25f0467c5c99571c854d58bec30330e7db343bceca008b
SHA512

30b7d4921f39c2601d94a3e3bb0e3be79b4b7b505e52523d2562f2e2f32154d555a593df87a71cddb61b98403265f42e0d6705950b37a155dc1d64113c719fd9
SSDEEP

384:4cr8sEcBeIXxqXhQsBxf5oBLBfXQM8ybCpGW1KTM+:4KEcRQBTxWlPZxWpG+Qx

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2748	screenCapture_1.3.2.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2980	csc.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2940 wrote to memory of 2980	2940	cmd.exe	29
PID 2940 wrote to memory of 2980	2940	cmd.exe	29
PID 2940 wrote to memory of 2980	2940	cmd.exe	29
PID 2940 wrote to memory of 2980	2940	cmd.exe	29
PID 2980 wrote to memory of 3048	2980	csc.exe	30
PID 2980 wrote to memory of 3048	2980	csc.exe	30
PID 2980 wrote to memory of 3048	2980	csc.exe	30
PID 2980 wrote to memory of 3048	2980	csc.exe	30
PID 2940 wrote to memory of 2748	2940	cmd.exe	31
PID 2940 wrote to memory of 2748	2940	cmd.exe	31
PID 2940 wrote to memory of 2748	2940	cmd.exe	31

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\screenshot-desktop\lib\win32\screenCapture_1.3.2.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2940
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\RESOUR~1\APPASA~1.UNP\NODE_M~1\SCREEN~1\lib\win32\SCREEN~1.BAT"
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of WriteProcessMemory
  PID:2980
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1F24.tmp" "c:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\screenshot-desktop\lib\win32\CSC1A1FFD0C702C48ADBF8329ECC1935014.TMP"
    3⤵
    PID:3048
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\screenshot-desktop\lib\win32\screenCapture_1.3.2.exe
  screenCapture_1.3.2.exe
  2⤵
  - Executes dropped EXE
  PID:2748

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES1F24.tmp

Filesize
1KB

MD5
2fd61f0ed9e8b05abf3d6d95f868add9

SHA1
64185f15e327c6a5a782a619462fd32e23bcdfb2

SHA256
020292f3d766f35a1265dc6f0be16eff98ae87354eec595220f3d26036c0a97d

SHA512
ddb818b1622118622d56172ba961e243c3cd0e08193f21115cb6988f849e9b2f35e7611a13d981075c1205c91266884de29e4b7b1b7624eecccc05a51de578f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\screenshot-desktop\lib\win32\screenCapture_1.3.2.exe

Filesize
12KB

MD5
024d0664203fcd3e8013352ed03b4020

SHA1
5bc83c1df1f6d5214cbe2ad0bf5bfcef89b2c7ab

SHA256
a3e302a8fa37df81d4c647124e51f43f1924c15758f5105ec31aa3c4a5aaf2b8

SHA512
bee9870e17803478530e62d952043611e3e4059f2774e9b8f169249fc835fb38a3c9eeb115f7242b091c04e3c7ee0d8475589dc70a7906d4b7654d9c5a0e77d5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\screenshot-desktop\lib\win32\CSC1A1FFD0C702C48ADBF8329ECC1935014.TMP

Filesize
1KB

MD5
a6f2d21624678f54a2abed46e9f3ab17

SHA1
a2a6f07684c79719007d434cbd1cd2164565734a

SHA256
ab96911d094b6070cbfb48e07407371ddb41b86e36628b6a10cdb11478192344

SHA512
0b286df41c3887eecff5c38cbd6818078313b555ef001151b41ac11b80466b2f4f39da518ab9c51eeff35295cb39d52824de13e026c35270917d7274f764c676

Download Submit
memory/2748-8-0x0000000000E40000-0x0000000000E4A000-memory.dmp

Filesize
40KB

Download
memory/2748-9-0x000007FEF5660000-0x000007FEF604C000-memory.dmp

Filesize
9.9MB

Download
memory/2748-10-0x000007FEF5660000-0x000007FEF604C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads