b8a1e46ef14be22cfa81ffe3ed1ed5bbcb7b976d0ddaae57e842123699ac7bfe

Analysis

max time kernel
122s
max time network
128s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
30/06/2024, 08:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

pluto/files/info.bat
Size

1008B
MD5

e85f0ba77dcf1c969645d2332c4acf91
SHA1

2950ca197922f4ba113234c64d70a219895386e6
SHA256

68196f1acf2cd2ee6015d79e6fc66a8ef2d878527fd7d9cef290c2a011b4c6ec
SHA512

01ac8bc0aa4e7c4565ef18ce80ce8887d5c22a9e3c3cd88dbbf9f3335d1b0793aa5ff5b86ec781663c4c5bf63a509ac7ac331ec3cf079d4bbcfc353ab4d1b619

Score

1^/10

Malware Config

Signatures

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2360	systeminfo.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 2360	1948	cmd.exe	29
PID 1948 wrote to memory of 2360	1948	cmd.exe	29
PID 1948 wrote to memory of 2360	1948	cmd.exe	29
PID 1948 wrote to memory of 2660	1948	cmd.exe	32
PID 1948 wrote to memory of 2660	1948	cmd.exe	32
PID 1948 wrote to memory of 2660	1948	cmd.exe	32
PID 2660 wrote to memory of 2544	2660	cmd.exe	33
PID 2660 wrote to memory of 2544	2660	cmd.exe	33
PID 2660 wrote to memory of 2544	2660	cmd.exe	33
PID 2660 wrote to memory of 2644	2660	cmd.exe	34
PID 2660 wrote to memory of 2644	2660	cmd.exe	34
PID 2660 wrote to memory of 2644	2660	cmd.exe	34
PID 1948 wrote to memory of 1604	1948	cmd.exe	35
PID 1948 wrote to memory of 1604	1948	cmd.exe	35
PID 1948 wrote to memory of 1604	1948	cmd.exe	35
PID 1604 wrote to memory of 2652	1604	cmd.exe	36
PID 1604 wrote to memory of 2652	1604	cmd.exe	36
PID 1604 wrote to memory of 2652	1604	cmd.exe	36
PID 1604 wrote to memory of 2692	1604	cmd.exe	37
PID 1604 wrote to memory of 2692	1604	cmd.exe	37
PID 1604 wrote to memory of 2692	1604	cmd.exe	37
PID 1948 wrote to memory of 2624	1948	cmd.exe	38
PID 1948 wrote to memory of 2624	1948	cmd.exe	38
PID 1948 wrote to memory of 2624	1948	cmd.exe	38
PID 2624 wrote to memory of 2980	2624	cmd.exe	39
PID 2624 wrote to memory of 2980	2624	cmd.exe	39
PID 2624 wrote to memory of 2980	2624	cmd.exe	39
PID 2624 wrote to memory of 2520	2624	cmd.exe	40
PID 2624 wrote to memory of 2520	2624	cmd.exe	40
PID 2624 wrote to memory of 2520	2624	cmd.exe	40
PID 1948 wrote to memory of 2432	1948	cmd.exe	41
PID 1948 wrote to memory of 2432	1948	cmd.exe	41
PID 1948 wrote to memory of 2432	1948	cmd.exe	41
PID 2432 wrote to memory of 2636	2432	cmd.exe	42
PID 2432 wrote to memory of 2636	2432	cmd.exe	42
PID 2432 wrote to memory of 2636	2432	cmd.exe	42
PID 2432 wrote to memory of 328	2432	cmd.exe	43
PID 2432 wrote to memory of 328	2432	cmd.exe	43
PID 2432 wrote to memory of 328	2432	cmd.exe	43

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\pluto\files\info.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Windows\system32\systeminfo.exe
  systeminfo
  2⤵
  - Gathers system information
  PID:2360
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type C:\Users\Admin\AppData\Local\Temp\info.txt | find "Registered Owner"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\info.txt "
    3⤵
    PID:2544
- - C:\Windows\system32\find.exe
    find "Registered Owner"
    3⤵
    PID:2644
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type C:\Users\Admin\AppData\Local\Temp\info.txt | find "OS Name"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1604
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\info.txt "
    3⤵
    PID:2652
- - C:\Windows\system32\find.exe
    find "OS Name"
    3⤵
    PID:2692
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type C:\Users\Admin\AppData\Local\Temp\info.txt | find "System Manufacturer"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\info.txt "
    3⤵
    PID:2980
- - C:\Windows\system32\find.exe
    find "System Manufacturer"
    3⤵
    PID:2520
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type C:\Users\Admin\AppData\Local\Temp\info.txt | find "Product ID"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\info.txt "
    3⤵
    PID:2636
- - C:\Windows\system32\find.exe
    find "Product ID"
    3⤵
    PID:328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\info.txt

Filesize
1KB

MD5
b88c69a592c4598d4b5b341e7ea698a9

SHA1
4a4ea6abb09d19ef08d1c7f032e72bda1cf72ba4

SHA256
c73e0f38fc84e18b7d51508ad511df8e9e9aa2005622be11d157b041b27b97cb

SHA512
d7ef986b0eddca7b7f645d21a1b0ea9d027e08bff217e46fac0afca6a9ab783482ea3b2ac2903d802d899a1e5909cdfb2bd401685bff992dd643352031740c06

Download Submit