Analysis
-
max time kernel
92s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
10-05-2024 10:39
Static task
static1
Behavioral task
behavioral1
Sample
New folder/Autoit3.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
New folder/Autoit3.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
New folder/ac337d0e2c1d6f6a1132285a.au3
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
New folder/ac337d0e2c1d6f6a1132285a.au3
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
New folder/execute.bat
Resource
win7-20240215-en
Behavioral task
behavioral6
Sample
New folder/execute.bat
Resource
win10v2004-20240508-en
General
-
Target
New folder/execute.bat
-
Size
47B
-
MD5
bdc9e34bc73e2b595b0d6dec9bf04cd8
-
SHA1
fc574c22b2c85aa3def41110792869db527f2c5c
-
SHA256
d5dc18a295975bc1976c296729325ba312ad69efb6187adb5b0e403b81b2903b
-
SHA512
5fb9cbe0a93e9500a5600f2a513ab775454cdb7d453b4f6733e63dac8c073616ff1e87618d30c206089beaf959c3d688d4fd70c994d23763f10193008c7cb0d6
Malware Config
Signatures
-
Program crash 1 IoCs
pid pid_target Process procid_target 3296 1732 WerFault.exe 84 -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1732 Autoit3.exe 1732 Autoit3.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1732 Autoit3.exe 1732 Autoit3.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 4028 wrote to memory of 3240 4028 cmd.exe 83 PID 4028 wrote to memory of 3240 4028 cmd.exe 83 PID 3240 wrote to memory of 1732 3240 cmd.exe 84 PID 3240 wrote to memory of 1732 3240 cmd.exe 84 PID 3240 wrote to memory of 1732 3240 cmd.exe 84
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\New folder\execute.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\Windows\system32\cmd.execmd /c autoit3.exe ac337d0e2c1d6f6a1132285a.au32⤵
- Suspicious use of WriteProcessMemory
PID:3240 -
C:\Users\Admin\AppData\Local\Temp\New folder\Autoit3.exeautoit3.exe ac337d0e2c1d6f6a1132285a.au33⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1732 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1732 -s 6764⤵
- Program crash
PID:3296
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1732 -ip 17321⤵PID:4644