1bf9db8285719827160844a6a51292c30346c3099a4753c92177cba4e59b2404

General

Target

LIST OF PRODUCTS AND SPECIFICATIONS.bat.exe
Size

347KB
MD5

1d2585eb104895bd6a4059cee636cee7
SHA1

79437779f16915a20a5a38a768242427eed08401
SHA256

1bf9db8285719827160844a6a51292c30346c3099a4753c92177cba4e59b2404
SHA512

b5733f78528110f8f04c0df961f38a974d04a888a9b920ad48758954fadfa5a43d46106537dbfa9877acd25d58631d9c1cd4ffac709f13f7ad6ea43869b9d201

Score

7^/10

evasion trojan

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

LIST OF PRODUCTS AND SPECIFICATIONS.bat.execmd.exe

description pid process

Token: SeDebugPrivilege 1636 LIST OF PRODUCTS AND SPECIFICATIONS.bat.exe
Token: SeDebugPrivilege 1692 cmd.exe

description	pid	process
Token: SeDebugPrivilege	1636	LIST OF PRODUCTS AND SPECIFICATIONS.bat.exe
Token: SeDebugPrivilege	1692	cmd.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

LIST OF PRODUCTS AND SPECIFICATIONS.bat.execmd.exe

pid	process
1636	LIST OF PRODUCTS AND SPECIFICATIONS.bat.exe
1636	LIST OF PRODUCTS AND SPECIFICATIONS.bat.exe
1636	LIST OF PRODUCTS AND SPECIFICATIONS.bat.exe
1636	LIST OF PRODUCTS AND SPECIFICATIONS.bat.exe
1692	cmd.exe
1692	cmd.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

LIST OF PRODUCTS AND SPECIFICATIONS.bat.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 896 wrote to memory of 1636	896	LIST OF PRODUCTS AND SPECIFICATIONS.bat.exe	LIST OF PRODUCTS AND SPECIFICATIONS.bat.exe
PID 896 wrote to memory of 1636	896	LIST OF PRODUCTS AND SPECIFICATIONS.bat.exe	LIST OF PRODUCTS AND SPECIFICATIONS.bat.exe
PID 896 wrote to memory of 1636	896	LIST OF PRODUCTS AND SPECIFICATIONS.bat.exe	LIST OF PRODUCTS AND SPECIFICATIONS.bat.exe
PID 896 wrote to memory of 1636	896	LIST OF PRODUCTS AND SPECIFICATIONS.bat.exe	LIST OF PRODUCTS AND SPECIFICATIONS.bat.exe
PID 896 wrote to memory of 1636	896	LIST OF PRODUCTS AND SPECIFICATIONS.bat.exe	LIST OF PRODUCTS AND SPECIFICATIONS.bat.exe
PID 896 wrote to memory of 1636	896	LIST OF PRODUCTS AND SPECIFICATIONS.bat.exe	LIST OF PRODUCTS AND SPECIFICATIONS.bat.exe
PID 896 wrote to memory of 1636	896	LIST OF PRODUCTS AND SPECIFICATIONS.bat.exe	LIST OF PRODUCTS AND SPECIFICATIONS.bat.exe
PID 1276 wrote to memory of 1692	1276	Explorer.EXE	cmd.exe
PID 1276 wrote to memory of 1692	1276	Explorer.EXE	cmd.exe
PID 1276 wrote to memory of 1692	1276	Explorer.EXE	cmd.exe
PID 1276 wrote to memory of 1692	1276	Explorer.EXE	cmd.exe
PID 1692 wrote to memory of 1864	1692	cmd.exe	cmd.exe
PID 1692 wrote to memory of 1864	1692	cmd.exe	cmd.exe
PID 1692 wrote to memory of 1864	1692	cmd.exe	cmd.exe
PID 1692 wrote to memory of 1864	1692	cmd.exe	cmd.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

LIST OF PRODUCTS AND SPECIFICATIONS.bat.exeLIST OF PRODUCTS AND SPECIFICATIONS.bat.execmd.exe

description	pid	process	target process
PID 896 set thread context of 1636	896	LIST OF PRODUCTS AND SPECIFICATIONS.bat.exe	LIST OF PRODUCTS AND SPECIFICATIONS.bat.exe
PID 1636 set thread context of 1276	1636	LIST OF PRODUCTS AND SPECIFICATIONS.bat.exe	Explorer.EXE
PID 1636 set thread context of 1276	1636	LIST OF PRODUCTS AND SPECIFICATIONS.bat.exe	Explorer.EXE
PID 1692 set thread context of 1276	1692	cmd.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

LIST OF PRODUCTS AND SPECIFICATIONS.bat.execmd.exe

pid	process
1636	LIST OF PRODUCTS AND SPECIFICATIONS.bat.exe
1636	LIST OF PRODUCTS AND SPECIFICATIONS.bat.exe
1636	LIST OF PRODUCTS AND SPECIFICATIONS.bat.exe
1692	cmd.exe
1692	cmd.exe
1692	cmd.exe
1692	cmd.exe
1692	cmd.exe
1692	cmd.exe
1692	cmd.exe
1692	cmd.exe
1692	cmd.exe
1692	cmd.exe
1692	cmd.exe
1692	cmd.exe
1692	cmd.exe
1692	cmd.exe
1692	cmd.exe
1692	cmd.exe
1692	cmd.exe
1692	cmd.exe
1692	cmd.exe
1692	cmd.exe
1692	cmd.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1864 cmd.exe
Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

Explorer.EXE

pid process

1276 Explorer.EXE
1276 Explorer.EXE
1276 Explorer.EXE
1276 Explorer.EXE
1276 Explorer.EXE
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

1276 Explorer.EXE
1276 Explorer.EXE
1276 Explorer.EXE
1276 Explorer.EXE
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Explorer.EXE

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Explorer.EXE

pid	process
1864	cmd.exe

pid	process
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE

pid	process
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Checks whether UAC is enabled
PID:1276

C:\Users\Admin\AppData\Local\Temp\LIST OF PRODUCTS AND SPECIFICATIONS.bat.exe
"C:\Users\Admin\AppData\Local\Temp\LIST OF PRODUCTS AND SPECIFICATIONS.bat.exe"
2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:896

C:\Users\Admin\AppData\Local\Temp\LIST OF PRODUCTS AND SPECIFICATIONS.bat.exe
"{path}"
3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:1636

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:1516

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:1504

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:1664

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:1692

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\LIST OF PRODUCTS AND SPECIFICATIONS.bat.exe"
3⤵
- Deletes itself
PID:1864

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/896-1-0x0000000000000000-0x0000000000000000-disk.dmp

Download
memory/1636-2-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1636-3-0x000000000041E2F0-mapping.dmp

Download
memory/1692-4-0x0000000000000000-mapping.dmp

Download
memory/1692-5-0x000000004A480000-0x000000004A4CC000-memory.dmp

Filesize
304KB

Download
memory/1692-7-0x0000000003210000-0x0000000003399000-memory.dmp

Filesize
1.5MB

Download
memory/1864-6-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads