57deb4d31b0513c9f833f1067820faf9193db43152dc924d9165607c4f560b69

Analysis

max time kernel
77s
max time network
82s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
27/09/2022, 14:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

test1.bat
Size

210KB
MD5

0a740ba4732a6b943da05ac63fb5c2d5
SHA1

ccdf269811c07fc6415b62f765e3f58903dfe61b
SHA256

57deb4d31b0513c9f833f1067820faf9193db43152dc924d9165607c4f560b69
SHA512

993a6dfce66bb4d4c6fd716c396e05667a51564ea00dbcb4c6f38143096944609e0ffe8b23a842c5a246864ee0185756ea9e66a7345d6fa81b3b49a9c72ce347
SSDEEP

6144:d96cEqR1F6sCKKztZlKoi1PpNpNxUXE+v+5UV:XVDVCKH1hNq0+W5UV

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4208	gatherosstatemodified.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	expand.exe

Checks SCSI registry key(s) 3 TTPs 11 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	gatherosstatemodified.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	gatherosstatemodified.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	gatherosstatemodified.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	clipup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	clipup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	gatherosstatemodified.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	gatherosstatemodified.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3656	powershell.exe
3656	powershell.exe
3736	powershell.exe
3736	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3656	powershell.exe
Token: SeDebugPrivilege	3736	powershell.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 3712 wrote to memory of 1868	3712	cmd.exe	80
PID 3712 wrote to memory of 1868	3712	cmd.exe	80
PID 1868 wrote to memory of 2676	1868	net.exe	81
PID 1868 wrote to memory of 2676	1868	net.exe	81
PID 3712 wrote to memory of 4780	3712	cmd.exe	82
PID 3712 wrote to memory of 4780	3712	cmd.exe	82
PID 3712 wrote to memory of 4476	3712	cmd.exe	92
PID 3712 wrote to memory of 4476	3712	cmd.exe	92
PID 3712 wrote to memory of 3656	3712	cmd.exe	93
PID 3712 wrote to memory of 3656	3712	cmd.exe	93
PID 3656 wrote to memory of 4508	3656	powershell.exe	94
PID 3656 wrote to memory of 4508	3656	powershell.exe	94
PID 4508 wrote to memory of 716	4508	csc.exe	95
PID 4508 wrote to memory of 716	4508	csc.exe	95
PID 3656 wrote to memory of 3256	3656	powershell.exe	96
PID 3656 wrote to memory of 3256	3656	powershell.exe	96
PID 3712 wrote to memory of 4844	3712	cmd.exe	97
PID 3712 wrote to memory of 4844	3712	cmd.exe	97
PID 3712 wrote to memory of 3736	3712	cmd.exe	99
PID 3712 wrote to memory of 3736	3712	cmd.exe	99
PID 3712 wrote to memory of 4208	3712	cmd.exe	102
PID 3712 wrote to memory of 4208	3712	cmd.exe	102
PID 3712 wrote to memory of 4208	3712	cmd.exe	102
PID 3712 wrote to memory of 2056	3712	cmd.exe	103
PID 3712 wrote to memory of 2056	3712	cmd.exe	103
PID 3712 wrote to memory of 1612	3712	cmd.exe	106
PID 3712 wrote to memory of 1612	3712	cmd.exe	106
PID 3712 wrote to memory of 4288	3712	cmd.exe	107
PID 3712 wrote to memory of 4288	3712	cmd.exe	107

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test1.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3712
- C:\Windows\system32\net.exe
  NET FILE
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1868
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 FILE
    3⤵
    PID:2676
- C:\Windows\system32\mode.com
  mode 76, 30
  2⤵
  PID:4780
- C:\Windows\system32\chcp.com
  chcp 850
  2⤵
  PID:4476
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -nop -c $f=[IO.File]::ReadAllText($env:0)-split':bat2file\:.*';iex($f[1]); X(1)
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3656
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pj3g13do\pj3g13do.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4508
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB8D0.tmp" "c:\Users\Admin\AppData\Local\Temp\pj3g13do\CSC9742D00E7CE447D2997BFB49644840C.TMP"
      4⤵
      PID:716
- - C:\Windows\system32\expand.exe
    "C:\Windows\system32\expand.exe" -R 1 -F:* .
    3⤵
    - Drops file in Windows directory
    PID:3256
- C:\Windows\system32\cscript.exe
  cscript //nologo C:\Windows\system32\slmgr.vbs -ipk VK7JG-NPHTM-C97JM-9MPGT-3V66T
  2⤵
  PID:4844
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -c (Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\ProductOptions).OSProductPfn
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3736
- C:\HWIDFiles\gatherosstatemodified.exe
  C:\HWIDFiles\gatherosstatemodified.exe Pfn=Microsoft.Windows.48.X19-98841_8wekyb3d8bbwe;DownlevelGenuineState=1
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  PID:4208
- C:\Windows\system32\ClipUp.exe
  clipup -v -o -altto C:\HWIDFiles
  2⤵
  PID:2056
- - C:\Windows\system32\clipup.exe
    clipup -v -o -altto C:\HWIDFiles -ppl C:\Users\Admin\AppData\Local\Temp\tem55A.tmp
    3⤵
    - Checks SCSI registry key(s)
    PID:5008
- C:\Windows\system32\cscript.exe
  cscript //nologo C:\Windows\system32\slmgr.vbs -ato
  2⤵
  PID:1612
- C:\Windows\system32\cscript.exe
  cscript //nologo C:\Windows\system32\slmgr.vbs -xpr
  2⤵
  PID:4288

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\HWIDFiles\GenuineTicket.xml

Filesize
1KB

MD5
e268e482cad3a89c993d552cc3abb9c6

SHA1
fc0d85488eb1f13e144b57fbd4074ba4ecf022aa

SHA256
6246971941541eefc349d671bfb6f25c177b1bdbc14038f00b282668aceac983

SHA512
c401764f935cee06eb4e8e4f56b750ba98005b898e6287c9c09ccf16d83630996095736d03bd397e2da61eace02ddb56dfc6458794a26337517b649640470ec7

Download Submit
C:\HWIDFiles\gatherosstatemodified.exe

Filesize
330KB

MD5
892fae48577e46eabd9fbbc4107d924c

SHA1
3fccb9c359edb9527c9f5688683f8b3c5910e75d

SHA256
5b8d76ee9a57fa2592f480f1c5035d45946304cae7899279857126cd48f601d7

SHA512
49f9237657b77b789edc54563b6500787905429673ffa3797a4a2d50ae25eaab3c684890847a0a790361ef3c525c432712cc4e00e98de3912ff13a0c3d5c252d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
556084f2c6d459c116a69d6fedcc4105

SHA1
633e89b9a1e77942d822d14de6708430a3944dbc

SHA256
88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

SHA512
0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
693baf43e3d5fefa0883380c7a77c69a

SHA1
f3e6115432504e8bd401d8c0ff2da43e708707e5

SHA256
27a3015931d1f72ce982cf8f9d38dc99219ea2bb9bda4ec7b09dca9bd1122e9e

SHA512
29c5e093f3f86c38246fe5f1c5d6110f315937916f139289f52dbbb1e67d4f5f46e4cc928ff03ce19b91cf1d8310d40dadc65812399829da8c94f0c6f9e3f5cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\1

Filesize
163KB

MD5
7492829a6d0bd32b501eb2c4938fe2ee

SHA1
480eb57082902e34778411169e25759e8d57b1ea

SHA256
843b719a80e10527e2383d1e499a08f7983912afe55ec73c69c8d14fe5b2f266

SHA512
50d5795840e5e2bbeb355dd1332a00c99acee72a05287e5c02d41fd7d1235d2ef5c88eb3524ebe985c52e419913a712639178dc1eff5d8cd8dbe098427cafade

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB8D0.tmp

Filesize
1KB

MD5
a263abe6f34536f9373fa77b7a530f81

SHA1
f81fdfdaf211775c90a829caa8c936a52e664a0a

SHA256
fb0550572d712552e9e5f182cce009ab4251e8d5d7453c357ebd710eefa6f5c6

SHA512
0450ada302563abf281a5b080e9135fc158cadf879ba4fa5d12f55ea7e96ba50fd0fb8b43c37896fc5b7435e4275a355c6eb9fe932ca52e46b51e0f68861aee2

Download Submit
C:\Users\Admin\AppData\Local\Temp\gatherosstatemodified.exe

Filesize
330KB

MD5
892fae48577e46eabd9fbbc4107d924c

SHA1
3fccb9c359edb9527c9f5688683f8b3c5910e75d

SHA256
5b8d76ee9a57fa2592f480f1c5035d45946304cae7899279857126cd48f601d7

SHA512
49f9237657b77b789edc54563b6500787905429673ffa3797a4a2d50ae25eaab3c684890847a0a790361ef3c525c432712cc4e00e98de3912ff13a0c3d5c252d

Download Submit
C:\Users\Admin\AppData\Local\Temp\pj3g13do\pj3g13do.dll

Filesize
3KB

MD5
d4bf33d4e50b82abb19b765f24a12328

SHA1
648907d001ffe7350ffed43f3819b21f57383a24

SHA256
8049c7167dd2bcd5e31c2167b4955e2f756b39932f4361951518c301d6af34f3

SHA512
2b7dc9ea76842c54e3fdb575d99718e597a403d1a91a227024b6104b36e9e5c14a8116471c3dd8f9cbd9311cf271187ed5652fbc028052f2cec0c3d52f455d61

Download Submit
C:\Users\Admin\AppData\Local\Temp\tem55A.tmp

Filesize
582B

MD5
76a2c413abdf65fe97ae29f62ded03b4

SHA1
efe26a7231869c417830504f92ac1dda95d2c0ff

SHA256
15cd5b67c7ab9fd21eae8aa6d10972c2e75f011555aad5dad4b006b008f91b35

SHA512
68ebfbf48344942c7000a082636b8add07739ea2d21490387e61fb7b3d3872b569deafe4fde3de7e2a011be00ab9ad78d093898f17a6447afcfeb0edcf5972ee

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pj3g13do\CSC9742D00E7CE447D2997BFB49644840C.TMP

Filesize
652B

MD5
c35671478b88e65d1c8a0f17f823a6d2

SHA1
8082139f1d0a65aedb336a08915a0111a5a64d30

SHA256
0bf436ce46ead0b030f48798def84ce9f9a2127ecc86840ab851a8deff46e005

SHA512
01b5e1548f94b380db852c1841054d411b58a207771f7d64f600bfc17acaf6b35b67db671a29c38fc0bc931ee793dc124b5aa7159a7428202ded301e3990cf18

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pj3g13do\pj3g13do.0.cs

Filesize
521B

MD5
047f0cf592670e8fca358f12e4cd5a89

SHA1
0cd8cdde668e7e64adb49e388e75e1136429e5f6

SHA256
32e77d9085ad9ea0fd1eb5a9556e29cb42f5d3016ccf9853f3c39d358f479978

SHA512
368b22e424520c272195d3264123fceb2dba549574ff7282c210ffb6d9e8f574b7392f199304f2adef974d4d926fbccb1ce50fbd8ad4e89f05cec58635357cc8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pj3g13do\pj3g13do.cmdline

Filesize
369B

MD5
7a96cca07ce0de1b44a2a22e53468fde

SHA1
9d916759adb7abba9b4b5af46720c0b59a17ab0c

SHA256
8926bd81efdd677cd0f83475e9dfc6ee1ff9b21d9a064ad57a6e53f8182a17ff

SHA512
b2d263424631ae187f54c45c26c58dfdcab8a7ef05f850d41a0b60107e178b28cbbe92c904da22d5598ba827ee91f0e2abc7aa4672a93d882aa248ee25cc8714

Download Submit
memory/2056-170-0x0000023930BD0000-0x0000023930BE0000-memory.dmp

Filesize
64KB

Download
memory/2056-169-0x0000023930BD0000-0x0000023930BE0000-memory.dmp

Filesize
64KB

Download
memory/2056-158-0x0000023930BD0000-0x0000023930BE0000-memory.dmp

Filesize
64KB

Download
memory/2056-163-0x0000023930BD0000-0x0000023930BE0000-memory.dmp

Filesize
64KB

Download
memory/2056-159-0x0000023930BD0000-0x0000023930BE0000-memory.dmp

Filesize
64KB

Download
memory/3656-137-0x000002115FC90000-0x000002115FCB2000-memory.dmp

Filesize
136KB

Download
memory/3656-138-0x00007FFAB6B60000-0x00007FFAB7621000-memory.dmp

Filesize
10.8MB

Download
memory/3656-148-0x00007FFAB6B60000-0x00007FFAB7621000-memory.dmp

Filesize
10.8MB

Download
memory/3736-154-0x00007FFAB6B00000-0x00007FFAB75C1000-memory.dmp

Filesize
10.8MB

Download
memory/5008-160-0x00000242EF840000-0x00000242EF850000-memory.dmp

Filesize
64KB

Download
memory/5008-167-0x00000242EF840000-0x00000242EF850000-memory.dmp

Filesize
64KB

Download
memory/5008-166-0x00000242EF840000-0x00000242EF850000-memory.dmp

Filesize
64KB

Download
memory/5008-164-0x00000242EF840000-0x00000242EF850000-memory.dmp

Filesize
64KB

Download
memory/5008-165-0x00000242EFA30000-0x00000242EFB83000-memory.dmp

Filesize
1.3MB

Download
memory/5008-161-0x00000242EF840000-0x00000242EF850000-memory.dmp

Filesize
64KB

Download