51488a93ef9db5733c189d0b986b62ed7384fd15a2b6b18b9cde2c5dd6051ab5 | Triage

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-10-2024 09:57

Sharing

Report Analysis Logs

General

Target

Aplus/INSTALL.bat
Size

80B
MD5

59b9f8431b27b3c63805fce7ec5b330d
SHA1

8ddd44ea8f44dcf3bb76cdf01fef77c4d8ec21b9
SHA256

0380131e0f313b77225d59b599b5b14a8c924d612fc58b7cc48c506f0c421298
SHA512

b51a03e229b637217808436601d7e317b6702874fdb5a1371bc59e3a6e0624e61c09e3897405721ada5029659754aec9b47574c62ce23d88389403b28b6d4a90

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\windows\system32\chameleonButton.ocx	xcopy.exe
File opened for modification	C:\windows\system32\chameleonButton.ocx	xcopy.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\windows\system32	xcopy.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1320 wrote to memory of 4820	1320	cmd.exe	85
PID 1320 wrote to memory of 4820	1320	cmd.exe	85

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Aplus\INSTALL.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1320
- C:\Windows\system32\xcopy.exe
  xcopy chameleonButton.ocx "C:\windows\system32"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  PID:4820

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads