Overview

overview

8

Static

static

b25a732125...68.cmd

windows7-x64

8

b25a732125...68.cmd

windows10-2004-x64

8

Analysis

  • max time kernel
    80s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    10-01-2023 15:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b25a732125cfe04c965f06403f1d3292a2f0b4c9c4ddeb6d874af91e36503f68.cmd

  • Size

    1.7MB

  • MD5

    1f6a89d8a8aec95533d0235ce5d69c8e

  • SHA1

    0b2eca9f1e131bcbd5309b1f596d906541d9a2a8

  • SHA256

    b25a732125cfe04c965f06403f1d3292a2f0b4c9c4ddeb6d874af91e36503f68

  • SHA512

    499bcd0bb3c8cb4b2836bdcff8f70f365b39ac475312d9335146dc974130648397eb40ecce22e71368d31bf9709ea6e6521d74e07238e73174244a6e906a9aef

  • SSDEEP

    24576:cirqaNtQ6qtojek9Vw01vidfdNYLxAFC194otXHA9OiI92pfLWjbNG2jSZGZSeSZ:Njwy9aRtC19ZwfLGUGoX

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 38 IoCs
    adwarespyware
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 40 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\b25a732125cfe04c965f06403f1d3292a2f0b4c9c4ddeb6d874af91e36503f68.cmd"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1508
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\b25a732125cfe04c965f06403f1d3292a2f0b4c9c4ddeb6d874af91e36503f68.cmd"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:944
      • C:\Windows\system32\more.com
        more +5 C:\Users\Admin\AppData\Local\Temp\b25a732125cfe04c965f06403f1d3292a2f0b4c9c4ddeb6d874af91e36503f68.cmd
        3⤵
          PID:1516
        • C:\Windows\system32\certutil.exe
          certutil -decode -f ~~ "C:\Users\Admin\AppData\Roaming\Au3toCmd\exe\v3.3.16.0_20220306\AutoIt3.exe"
          3⤵
            PID:764
          • C:\Windows\system32\certutil.exe
            certutil -decode -f C:\Users\Admin\AppData\Local\Temp\b25a732125cfe04c965f06403f1d3292a2f0b4c9c4ddeb6d874af91e36503f68.cmd "C:\Users\Admin\AppData\Roaming\Au3toCmd\a3x\K75K\b25a732125cfe04c965f06403f1d3292a2f0b4c9c4ddeb6d874af91e36503f68.a3x"
            3⤵
              PID:576
            • C:\Windows\System32\Wbem\WMIC.exe
              wmic process call create '"C:\Users\Admin\AppData\Roaming\Au3toCmd\exe\v3.3.16.0_20220306\AutoIt3.exe" "C:\Users\Admin\AppData\Roaming\Au3toCmd\a3x\K75K\b25a732125cfe04c965f06403f1d3292a2f0b4c9c4ddeb6d874af91e36503f68.a3x" ""' ,C:\Users\Admin\AppData\Local\Temp\
              3⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:1380
            • C:\Windows\system32\timeout.exe
              timeout /T 5
              3⤵
              • Delays execution with timeout.exe
              PID:1632
        • C:\Users\Admin\AppData\Roaming\Au3toCmd\exe\v3.3.16.0_20220306\AutoIt3.exe
          "C:\Users\Admin\AppData\Roaming\Au3toCmd\exe\v3.3.16.0_20220306\AutoIt3.exe" "C:\Users\Admin\AppData\Roaming\Au3toCmd\a3x\K75K\b25a732125cfe04c965f06403f1d3292a2f0b4c9c4ddeb6d874af91e36503f68.a3x" ""
          1⤵
          • Executes dropped EXE
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of WriteProcessMemory
          PID:1896
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" https://mir4auto.000webhostapp.com/reg
            2⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:868
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:868 CREDAT:275457 /prefetch:2
              3⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:1824

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          fdddd504c8b310d083fca095d159b471

          SHA1

          d684694daa36d05c48ffe3a6f5a699d00c19d802

          SHA256

          dd27634e3e22756e3bddabf31d320e9c596f7ebfd3cc6d2291bc8278eb16a756

          SHA512

          6a9f34f62395d6857089a76c9febf5d40f4121fd6c96ab13d76276bc07221951adb6dbae526531290bcc789b57be750467c1c03c55d64f535741acf4071397f1

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\mlf2v8h\imagestore.dat
          Filesize

          11KB

          MD5

          0a3e23762f352f7cc6c822c973f26566

          SHA1

          12b2eb87c64c90972128faa06455aca6f2ac4c64

          SHA256

          e5d502be1f6ba28311c787bf1fdd49cf51180a0ba48002d05cc1c3bdbb379493

          SHA512

          f8b2eb755736b9827a205d9aa4b61183e085f3a1619c267292c30a7aa5fa573cdd5177a46bbec0bca1b4132de361253cf6ab353e3b02d09ee702fa7d1260f34e

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\~~
          Filesize

          1.7MB

          MD5

          48dbbb5135806c91cf78a9253e17c5b4

          SHA1

          b4cde85caeb475e792672460eb0bfc83b898d72c

          SHA256

          8b96fa0379280ca96eee875412c417b0a8540b54a7c967e11a3cd97bbeec0491

          SHA512

          d294262ce1802afe9fe8a1aa9630b48920104ee52145db0134002aa8b15c39e3590d0d28d2d5594cc75d8c8f28c943194cf27dcc095a2176e9630f969950d7d3

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Au3toCmd\a3x\K75K\b25a732125cfe04c965f06403f1d3292a2f0b4c9c4ddeb6d874af91e36503f68.a3x
          Filesize

          363KB

          MD5

          f29b605735fafdda4a947eaf46ec10a8

          SHA1

          afdc8b1de2348b161ffcc0ad0a7500fa9c20066f

          SHA256

          85df818a418285ee6386907a0fadf5a37ed9fd35e3188c2a716c21b2c33e9ee2

          SHA512

          3292fdff2ff1f4011c8f02073406a2009eec1bf1665d5c5785e028c6864806b4dd69ca739754a2ce985eef7ea18366e6a702efb0219001aaaed2d707ee042e0a

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Au3toCmd\exe\V3316~1.0_2\AutoIt3.exe
          Filesize

          924KB

          MD5

          6987e4cd3f256462f422326a7ef115b9

          SHA1

          71672a495b4603ecfec40a65254cb3ba8766bbe0

          SHA256

          3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0

          SHA512

          4b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Au3toCmd\exe\v3.3.16.0_20220306\AutoIt3.exe
          Filesize

          924KB

          MD5

          6987e4cd3f256462f422326a7ef115b9

          SHA1

          71672a495b4603ecfec40a65254cb3ba8766bbe0

          SHA256

          3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0

          SHA512

          4b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\6UU51HPN.txt
          Filesize

          608B

          MD5

          c688e79774b5d39d29317e041533dc4a

          SHA1

          a9f12c519bb7309c851a55765078699162ac4e9e

          SHA256

          64c14d382baa961e87f309c82ecb389d96cfe614f4705e81dd8ccf11cdc596a1

          SHA512

          734bb3dc0fc1760ba69bd3535fdb5cb147c99476115c6c2a6f673fdfb15c28e87a05b8d754a26193494244c6587d97d6b54960c6db4b934ac2e85ddf8340b60b

          Download Submit

        • memory/576-59-0x0000000000000000-mapping.dmp

          Download

        • memory/576-60-0x00000000FF7F1000-0x00000000FF7F3000-memory.dmp

          Filesize

          8KB

          Download

        • memory/764-57-0x00000000FF531000-0x00000000FF533000-memory.dmp

          Filesize

          8KB

          Download

        • memory/764-56-0x0000000000000000-mapping.dmp

          Download

        • memory/944-54-0x0000000000000000-mapping.dmp

          Download

        • memory/1380-61-0x0000000000000000-mapping.dmp

          Download

        • memory/1516-55-0x0000000000000000-mapping.dmp

          Download

        • memory/1632-63-0x0000000000000000-mapping.dmp

          Download

        • memory/1896-64-0x00000000757E1000-0x00000000757E3000-memory.dmp

          Filesize

          8KB

          Download