412daf1ef805fc1012f2c6d8ca56335df0e984b32072535fb208402b2a419bc7

Analysis

max time kernel
123s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15/05/2024, 22:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

OpiumFree.exe
Size

351KB
MD5

97b3318dd013a8192cd8baf848f1b954
SHA1

73f3f90ff537237807e1508b348b2c227b8a9467
SHA256

6ef0b0a69a059b1a1c15fd878fc6e7f861fb4bb5e3f320dec4acf2a8931b2c4a
SHA512

57a7d43a8b66a2d5ca1aec20fbceac120deb476dc951c5580bee019a29b5bd19ebd31cc8b3b2187f8de7511a1e929a20dcd5d9ddb343b1a0a1640eb0fec8b837
SSDEEP

6144:nBlkZvaF4NTBx8V39oN9lKOK46uWEQ5n95NAXWWWGYWFOHzPoqPr:noSWNTrPEOHwF951LHzoqT

Score

1^/10

Malware Config

Signatures

Delays execution with timeout.exe 8 IoCs

evasion

pid	Process
4620	timeout.exe
1020	timeout.exe
956	timeout.exe
3312	timeout.exe
3256	timeout.exe
5020	timeout.exe
1272	timeout.exe
3336	timeout.exe

Runs net.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 772 wrote to memory of 4904	772	OpiumFree.exe	91
PID 772 wrote to memory of 4904	772	OpiumFree.exe	91
PID 4904 wrote to memory of 2888	4904	cmd.exe	92
PID 4904 wrote to memory of 2888	4904	cmd.exe	92
PID 4904 wrote to memory of 5116	4904	cmd.exe	93
PID 4904 wrote to memory of 5116	4904	cmd.exe	93
PID 5116 wrote to memory of 1160	5116	net.exe	94
PID 5116 wrote to memory of 1160	5116	net.exe	94
PID 4904 wrote to memory of 3676	4904	cmd.exe	95
PID 4904 wrote to memory of 3676	4904	cmd.exe	95
PID 4904 wrote to memory of 1816	4904	cmd.exe	96
PID 4904 wrote to memory of 1816	4904	cmd.exe	96
PID 4904 wrote to memory of 1476	4904	cmd.exe	97
PID 4904 wrote to memory of 1476	4904	cmd.exe	97
PID 4904 wrote to memory of 408	4904	cmd.exe	98
PID 4904 wrote to memory of 408	4904	cmd.exe	98
PID 4904 wrote to memory of 1684	4904	cmd.exe	100
PID 4904 wrote to memory of 1684	4904	cmd.exe	100
PID 4904 wrote to memory of 4852	4904	cmd.exe	101
PID 4904 wrote to memory of 4852	4904	cmd.exe	101
PID 4852 wrote to memory of 2380	4852	cmd.exe	102
PID 4852 wrote to memory of 2380	4852	cmd.exe	102
PID 4904 wrote to memory of 3356	4904	cmd.exe	103
PID 4904 wrote to memory of 3356	4904	cmd.exe	103
PID 4904 wrote to memory of 212	4904	cmd.exe	104
PID 4904 wrote to memory of 212	4904	cmd.exe	104
PID 4904 wrote to memory of 428	4904	cmd.exe	105
PID 4904 wrote to memory of 428	4904	cmd.exe	105
PID 4904 wrote to memory of 5020	4904	cmd.exe	106
PID 4904 wrote to memory of 5020	4904	cmd.exe	106
PID 4904 wrote to memory of 1272	4904	cmd.exe	107
PID 4904 wrote to memory of 1272	4904	cmd.exe	107
PID 4904 wrote to memory of 3336	4904	cmd.exe	108
PID 4904 wrote to memory of 3336	4904	cmd.exe	108
PID 4904 wrote to memory of 4620	4904	cmd.exe	109
PID 4904 wrote to memory of 4620	4904	cmd.exe	109
PID 4904 wrote to memory of 1020	4904	cmd.exe	110
PID 4904 wrote to memory of 1020	4904	cmd.exe	110
PID 4904 wrote to memory of 956	4904	cmd.exe	111
PID 4904 wrote to memory of 956	4904	cmd.exe	111
PID 4904 wrote to memory of 3312	4904	cmd.exe	112
PID 4904 wrote to memory of 3312	4904	cmd.exe	112
PID 4904 wrote to memory of 3256	4904	cmd.exe	113
PID 4904 wrote to memory of 3256	4904	cmd.exe	113

C:\Users\Admin\AppData\Local\Temp\OpiumFree.exe
"C:\Users\Admin\AppData\Local\Temp\OpiumFree.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:772
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\C311.tmp\C312.tmp\C313.bat C:\Users\Admin\AppData\Local\Temp\OpiumFree.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4904
- - C:\Windows\system32\mode.com
    mode con: cols=155
    3⤵
    PID:2888
- - C:\Windows\system32\net.exe
    net session
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5116
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 session
      4⤵
      PID:1160
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:3676
- - C:\Windows\system32\mode.com
    mode con cols=192
    3⤵
    PID:1816
- - C:\Windows\system32\mode.com
    mode con lines=45
    3⤵
    PID:1476
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:408
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\C311.tmp\C312.tmp\C313.bat" nul /z
    3⤵
    PID:1684
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c mode con
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4852
  - - C:\Windows\system32\mode.com
      mode con
      4⤵
      PID:2380
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c set pb.
    3⤵
    PID:3356
- - C:\Windows\system32\mode.com
    MODE CON COLS=192 LINES=45
    3⤵
    PID:212
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:428
- - C:\Windows\system32\timeout.exe
    timeout 2
    3⤵
    - Delays execution with timeout.exe
    PID:5020
- - C:\Windows\system32\timeout.exe
    timeout 2
    3⤵
    - Delays execution with timeout.exe
    PID:1272
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:3336
- - C:\Windows\system32\timeout.exe
    timeout 2
    3⤵
    - Delays execution with timeout.exe
    PID:4620
- - C:\Windows\system32\timeout.exe
    timeout 2
    3⤵
    - Delays execution with timeout.exe
    PID:1020
- - C:\Windows\system32\timeout.exe
    timeout 2
    3⤵
    - Delays execution with timeout.exe
    PID:956
- - C:\Windows\system32\timeout.exe
    timeout 2
    3⤵
    - Delays execution with timeout.exe
    PID:3312
- - C:\Windows\system32\timeout.exe
    timeout 2
    3⤵
    - Delays execution with timeout.exe
    PID:3256

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\C311.tmp\C312.tmp\C313.bat

Filesize
152KB

MD5
261743db8d8e1354c4dd7327881d6aa7

SHA1
9b92b6e9f27a82531977a37a44382673df2ff748

SHA256
5e456c7eb67e505d678ed5c30f595c7b5db28f4e5cf29e331a55909d40ce6592

SHA512
81942597501b7f342e71a0132835ac63d47802cd461af414ebb86072d7ecf8271976464d51d440064bb96fb8e6aa63fdfe9081936c9a6f69d7818b519d860e53

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads