b8a1e46ef14be22cfa81ffe3ed1ed5bbcb7b976d0ddaae57e842123699ac7bfe

Analysis

max time kernel
133s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2024 08:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

pluto/files/info.bat
Size

1008B
MD5

e85f0ba77dcf1c969645d2332c4acf91
SHA1

2950ca197922f4ba113234c64d70a219895386e6
SHA256

68196f1acf2cd2ee6015d79e6fc66a8ef2d878527fd7d9cef290c2a011b4c6ec
SHA512

01ac8bc0aa4e7c4565ef18ce80ce8887d5c22a9e3c3cd88dbbf9f3335d1b0793aa5ff5b86ec781663c4c5bf63a509ac7ac331ec3cf079d4bbcfc353ab4d1b619

Score

1^/10

Malware Config

Signatures

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2564	systeminfo.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 4816 wrote to memory of 2564	4816	cmd.exe	85
PID 4816 wrote to memory of 2564	4816	cmd.exe	85
PID 4816 wrote to memory of 1048	4816	cmd.exe	91
PID 4816 wrote to memory of 1048	4816	cmd.exe	91
PID 1048 wrote to memory of 3960	1048	cmd.exe	92
PID 1048 wrote to memory of 3960	1048	cmd.exe	92
PID 1048 wrote to memory of 1940	1048	cmd.exe	93
PID 1048 wrote to memory of 1940	1048	cmd.exe	93
PID 4816 wrote to memory of 3356	4816	cmd.exe	94
PID 4816 wrote to memory of 3356	4816	cmd.exe	94
PID 3356 wrote to memory of 3412	3356	cmd.exe	95
PID 3356 wrote to memory of 3412	3356	cmd.exe	95
PID 3356 wrote to memory of 4040	3356	cmd.exe	96
PID 3356 wrote to memory of 4040	3356	cmd.exe	96
PID 4816 wrote to memory of 4952	4816	cmd.exe	97
PID 4816 wrote to memory of 4952	4816	cmd.exe	97
PID 4952 wrote to memory of 5072	4952	cmd.exe	98
PID 4952 wrote to memory of 5072	4952	cmd.exe	98
PID 4952 wrote to memory of 3120	4952	cmd.exe	99
PID 4952 wrote to memory of 3120	4952	cmd.exe	99
PID 4816 wrote to memory of 4076	4816	cmd.exe	100
PID 4816 wrote to memory of 4076	4816	cmd.exe	100
PID 4076 wrote to memory of 1508	4076	cmd.exe	101
PID 4076 wrote to memory of 1508	4076	cmd.exe	101
PID 4076 wrote to memory of 432	4076	cmd.exe	102
PID 4076 wrote to memory of 432	4076	cmd.exe	102

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\pluto\files\info.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4816
- C:\Windows\system32\systeminfo.exe
  systeminfo
  2⤵
  - Gathers system information
  PID:2564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type C:\Users\Admin\AppData\Local\Temp\info.txt | find "Registered Owner"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1048
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\info.txt "
    3⤵
    PID:3960
- - C:\Windows\system32\find.exe
    find "Registered Owner"
    3⤵
    PID:1940
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type C:\Users\Admin\AppData\Local\Temp\info.txt | find "OS Name"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3356
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\info.txt "
    3⤵
    PID:3412
- - C:\Windows\system32\find.exe
    find "OS Name"
    3⤵
    PID:4040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type C:\Users\Admin\AppData\Local\Temp\info.txt | find "System Manufacturer"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\info.txt "
    3⤵
    PID:5072
- - C:\Windows\system32\find.exe
    find "System Manufacturer"
    3⤵
    PID:3120
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type C:\Users\Admin\AppData\Local\Temp\info.txt | find "Product ID"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4076
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\info.txt "
    3⤵
    PID:1508
- - C:\Windows\system32\find.exe
    find "Product ID"
    3⤵
    PID:432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\info.txt

Filesize
2KB

MD5
6c1e6d1e1ed8552936324e6e4dc02607

SHA1
ddb39c10b7c5fd143828bdde5d1f554977b22531

SHA256
4ce0701fb20dac168eeb9fa5a0f9479f4e7b57150da81a643963454f6cf8e6ec

SHA512
62280677d257c4091d75554a5f17a9bcc16dab90c8c1f8533704a40b8b529f628878f605b87ee84442c1cff7655094dc218707923ca14a65f79cda17e9708ded

Download Submit