70b109fee37c587d815cf848a7b30bfefe77b8e0d7b485183c9782e3c3fc721c | Triage

Analysis

max time kernel
92s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 10:39

Sharing

Report Analysis Logs

General

Target

New folder/execute.bat
Size

47B
MD5

bdc9e34bc73e2b595b0d6dec9bf04cd8
SHA1

fc574c22b2c85aa3def41110792869db527f2c5c
SHA256

d5dc18a295975bc1976c296729325ba312ad69efb6187adb5b0e403b81b2903b
SHA512

5fb9cbe0a93e9500a5600f2a513ab775454cdb7d453b4f6733e63dac8c073616ff1e87618d30c206089beaf959c3d688d4fd70c994d23763f10193008c7cb0d6

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3296 1732 WerFault.exe Autoit3.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Autoit3.exe

pid process

1732 Autoit3.exe
1732 Autoit3.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Autoit3.exe

pid process

1732 Autoit3.exe
1732 Autoit3.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

cmd.execmd.exe

description	pid	process	target process
PID 4028 wrote to memory of 3240	4028	cmd.exe	cmd.exe
PID 4028 wrote to memory of 3240	4028	cmd.exe	cmd.exe
PID 3240 wrote to memory of 1732	3240	cmd.exe	Autoit3.exe
PID 3240 wrote to memory of 1732	3240	cmd.exe	Autoit3.exe
PID 3240 wrote to memory of 1732	3240	cmd.exe	Autoit3.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\New folder\execute.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4028

C:\Windows\system32\cmd.exe
cmd /c autoit3.exe ac337d0e2c1d6f6a1132285a.au3
2⤵
- Suspicious use of WriteProcessMemory
PID:3240

C:\Users\Admin\AppData\Local\Temp\New folder\Autoit3.exe
autoit3.exe ac337d0e2c1d6f6a1132285a.au3
3⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1732 -s 676
4⤵
- Program crash
PID:3296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1732 -ip 1732
1⤵
PID:4644

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1732-1-0x0000000003F20000-0x0000000004020000-memory.dmp

Filesize
1024KB

Download