88a3cc48a8bcef7873b286ecaf3a4e618dd20fd478fd9fae1634bdb5b4b79461

Analysis

max time kernel
145s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13/12/2024, 11:42 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

docs/release/build/make64.bat
Size

360B
MD5

4509df1a39c5581a775f1d48756fabdc
SHA1

6a4ae74cedbe5f414f8bf1f7951a4cfaa7d34c91
SHA256

d2a0bf481cdce9af659fafa82519af22e8cef599b99681afe2999c6eec4e6383
SHA512

e74ca7ea5b24e7db3f451bf6af7bc2f20209dca16455678157e48e7cf7fd0280f2193546ff7f0cfc71f99385b386a5db096c6b5c1ead205d1d09a3f738c66741

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	cmd.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3320 wrote to memory of 2076	3320	cmd.exe	82
PID 3320 wrote to memory of 2076	3320	cmd.exe	82
PID 3320 wrote to memory of 2756	3320	cmd.exe	83
PID 3320 wrote to memory of 2756	3320	cmd.exe	83
PID 3320 wrote to memory of 4792	3320	cmd.exe	84
PID 3320 wrote to memory of 4792	3320	cmd.exe	84
PID 3320 wrote to memory of 3620	3320	cmd.exe	85
PID 3320 wrote to memory of 3620	3320	cmd.exe	85

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\docs\release\build\make64.bat"
1⤵
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:3320
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo."
  2⤵
  PID:2076
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" time"
  2⤵
  PID:2756
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo."
  2⤵
  PID:4792
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" time"
  2⤵
  PID:3620

Network

DNS

13.86.106.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

13.86.106.20.in-addr.arpa

IN PTR

Response
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
DNS

76.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

76.32.126.40.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

28.118.140.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

28.118.140.52.in-addr.arpa

IN PTR

Response
DNS

154.239.44.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

154.239.44.20.in-addr.arpa

IN PTR

Response
DNS

212.20.149.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

212.20.149.52.in-addr.arpa

IN PTR

Response
DNS

198.187.3.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

198.187.3.20.in-addr.arpa

IN PTR

Response
DNS

86.49.80.91.in-addr.arpa

Remote address:

8.8.8.8:53

Request

86.49.80.91.in-addr.arpa

IN PTR

Response
DNS

227.66.18.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

227.66.18.2.in-addr.arpa

IN PTR

Response

227.66.18.2.in-addr.arpa

IN PTR

a2-18-66-227deploystaticakamaitechnologiescom
DNS

29.243.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

29.243.111.52.in-addr.arpa

IN PTR

Response

No results found

8.8.8.8:53

13.86.106.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

13.86.106.20.in-addr.arpa
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.210.232.199.in-addr.arpa
8.8.8.8:53

76.32.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

76.32.126.40.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

28.118.140.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

28.118.140.52.in-addr.arpa
8.8.8.8:53

154.239.44.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

154.239.44.20.in-addr.arpa
8.8.8.8:53

212.20.149.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

212.20.149.52.in-addr.arpa
8.8.8.8:53

198.187.3.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

198.187.3.20.in-addr.arpa
8.8.8.8:53

86.49.80.91.in-addr.arpa

dns

70 B
145 B
1
1

DNS Request

86.49.80.91.in-addr.arpa
8.8.8.8:53

227.66.18.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

227.66.18.2.in-addr.arpa
8.8.8.8:53

29.243.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

29.243.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

Loading Replay Monitor...

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.